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FOREWORD 

Space shuttle characteristics are expected to allow selective easing 
of many cost-inducing criteria now required of payloads placed in orbit by 
expendable launch systems. Of particular interest is the prerequisite of 
identifying and differentiating between the minimum, mandatory design and 
verification criteria for sortie payloads and all other criteria for pay- 
load projects. 

The TRW Systems Group under two concurrent contracts to NASA/JSC 
(NAS9-12741 and NAS9-12742) has performed a combined study effort entitled 
"Space Shuttle Sortie Payload Crew Safety and Systems Compatibility Criteria" 
for the express purpose of addressing the determination of mandatory and 
discretionary design and verification criteria applicable to sortie pay- 
loads from operational space shuttle management viewpoint. The study pro- 
jects were performed during the period from 16 May 1972 through 15 May 1973. 

The studies were sponsored jointly by NASA Headquarter's Mission and 
Payload Integration Office of the Office of Manned Space Flight, and the 
Lyndon B. Johnson Space Center's Engineering and Development Directorate. 
Study direction was provided by Mr. Earle M. Crum of the Future Programs 
Division, Payloads Engineering Office. He was assisted by a NASA 
Management Team representing NASA Headquarters, Johnson Spacej Kennedy 
Space; Langley Research; Lewis Research; and Marshall Space Flight Centers. 

The results of these studies are documented in the following three 
vol umes: 


Space Shuttle Sortie Payload Crew Safety and Systems 
Compatibility Criteria Documentation 


Volume 

Title 

Document No. 

I 

Executive Summary 

22214/2221 5-H013-R0-00 

II 

Crew Safety Design and 
Verification Criteria 

22214-H014-R0-00 

III 

Systems Compatibility Design 
and Verification Criteria 

22215-H014-R0-00 
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1. INTRODUCTION 


1.1 BACKGROUND 

NASA is currently examining shuttle payload costs in an effort to 
both more accurately predict and reduce such costs. History indicates 
that the criteria applied by NASA to previous space payloads caused them 
to be quite expensive. This practice was acceptable considering the 
costs associated with the launch and the necessity for a high probability 
of mission success. However, when these costs are used to estimate the 
cost of future shuttle payloads, it is evident that there would soon be 
a cost factor limiting the use of the shuttle. 

Fortunately, the shuttle characteristics will allow selectively 
easing many of the cost-inducing criteria now placed on expendable launch 
system payloads. Relaxing these criteria is expected to greatly reduce 
the cost of space payload development. 

Central to those cost-reducing efforts must be the capability to 
identify and differentiate between the minimum, mandatory design and 
verification criteria for shuttle sortie payloads and all other candidate 
criteria for payload projects. Accordingly, this study will contribute 
to lower sortie payload costs by producing a methodology capable of 
defining only the minimum criteria required for crew safety from a sortie 
payload. The resulting criteria will form the basis of future specifica- 
tions to be developed when quantitative shuttle data are available. 

1.2 OBJECTIVES 

The prime objective of this study was to identify the minimum, 
mandatory payload design and verification criteria necessary to insure that 
sortie payloads are safe with respect to the crew of the space shuttle 
system, distinguishing them from those criteria related to mission success, 
configuration choices or management approaches which are, therefore, dis- 
cretionary to project management as variables in cost/benefit trades. 
Specific study objectives are tabulated in Table 1-1. 
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Table 1-1. Specific Study Objectives 


• Research, identify, and analyze past safety practices in analogous | 
payload situations to establish a historical perspective and to 
utilize available experience. 

• Establish categorizing processes for distinguishing between shuttle 
mandatory and discretionary crew safety design and verification 
criteria. 

• Identify the mandatory design and verification criteria that are re- 
quired by shuttle management to insure crew safety of sortie pay- 
loads with the space shuttle system. 

• Identify the crew safety design and verification criteria that are 
discretionary to payload management as variables in cost/benefit 
trades. 

— 1 


1.3 SCOPE 

The scope of this study is bounded by the sortie payload definition 
illustrated in Figure 1-1, These elements remain attached to the arbiter 
at all times and therefore do not include propulsion systems nor free- 
flying satellites. A given sortie payload may interface with the shuttle 
mission specialist station (MSS) or the payload specialist station (PSS) 
and excludes a remote manipulator system. Several pallets of experimental 
equipment may reside in the payload bay as well as piggy-back package(s). 
Additionally, as in Skylab, some experiment equipments may also be included 
in the shuttle crew compartments. 

Accordingly, the criteria derived by this study are applicable to 
sortie payload elements carried in the shuttle payload bay or in the crew 
compartments,* and are intended to insure the safety of the crew. 

Additional criteria which are contained in the systems compatibility 
report (volume III of this report) reflect control of incompatibilities 
which could have safety implications. 
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Figure 1-1. Shuttle Sortie Payload Philosophy 


Because, in general, sortie payloads are pre-phase A in development, 
a generalized sortie payload was conceived against which a preliminary 
hazard analysis could be scoped. This generalized payload model contains 
the subsystems, instruments, and considerations known to be included in 
representative sortie payloads and the model is defined in Section 5. 

The basic guidelines employed in the study are summarized in 
Table 1-2. 
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Table 1-2. Study Guidelines 


— — 

• This study addresses the post R&D, operational shuttle era 
assuming a mature, fixed-design, "shuttle airlines" flight 
operations capability oriented to low-complexity, low-cost 
operations. 

• Design and test considerations include only those imposed 
by the space shuttle for mission purposes and are con- 
fined within the limits from terminal countdown through a 
normal landing. 

• Whether payload equipment is from the civilian sector or 
6FE should not alter the applicability of the shuttle 
imposed mandatory criteria. The payload should be given 
maximum possible latitude. 

t Extravehicular activity (EVA) requirements are not excluded 
from a sortie payload. However, shuttle EVA equipment are 
excluded from assignment to the payload. 

• Study definitions: 

- Criteria are general rules by which the acceptability 
of shuttle payloads may be determined. 

- Specifi cations are the translations of criteria into 
explicit, usually quantitative, statements suitable 
for detailed design and test purposes. A criterion may 
translate into several specifications. 

- Requirements may be criteria or specifications which 
have been imposed by appropriate administrative 
authority. 

- Crew Safety involves those payload design features that 
must:' be satisfied so that any credible hazard (i.e., 
believable as proven by experience or analytical 
techniques) is eliminated or its expectance reduced 

to acceptable limits of risk. 

- Hazards are events or conditions that could cause death 
or serious injury to one or more of the orbiter per- 
sonnel through either direct means or indirectly via 
propagation of vehicle hardware damage (other non-crew- 
hazard hardware safety considerations are treated as 
systems compat i bi 1 i ty ) . 
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Table 1-2. Study Guidelines (Concluded) 


- Mandatory crew safety design criteria and verification 
levels are defined, levied and controlled by shuttle 

'management and are obligatory to all sortie payload 
elements. 

- Discretionary design criteria make up all other criteria. 
Implementation and verification of these criteria are 
subject to payload project management prerogatives. 
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2. PRECEDENT PRACTICES RESEARCH 

The "precedent practices" research was the first major task of the study. 
The objective was to examine past safety practices in order to provide a 
basis upon which to recommend those practices and safety criteria appro- 
priate for application to Shuttle sortie payloads. Specific candidate 
safety criteria were accumulated during the course of the historical re- 
search, 

2.1 APPROACH 

The basic approach to the research phase of the study consisted of 
outlining a research plan containing queries designed to derive needed in- 
formation, and criteria for selection of the programs to be studied. 
Implementation consisted of selecting the programs, gathering and analyzing 
the data from these programs, and iterating appropriate conclusions and 
recommendations for use in the shuttle era. 

2.1.1 Required Information 

The first of two parallel efforts defined the information that would be 
needed to .establish the criteria which should be recommended for the shuttle 
era. The information needed to establish applications to future programs 
is represented by the seven data search points summarized below in 
Table 2-1 . 
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Table 2-1. Research Queries Applied to Each Program 


• Determine what criteria were used to write payload design 
specifications that were placed upon experimenters to assure 
safety. If not available, obtain payload specifications . 

• Determine what payload verification criteria or specifications 
were used to assure man/vehicle safety from harmful payload 
effects . 

• Determine which of these design and verification criteria 
or specifications were relaxed or revised from their 
original requirement, and why. 

• When criteria were specified, determine the method of 

application and the philosophy of the criteria. ' 

• Determine which criteria or specifications resulted in 

high production or verification costs with respect to 
overall costs. ' 

• Indicate how successful the payload was and if any failures 
caused safety problems. 

• Indicate extent to which off-the-shelf or standard components 
were used in the payload, and whether failure of these com- 
ponents affected non-vehicle safety. 


2.1.2 Programs To Be Researched 

In selecting the programs from which this information was desired, 
attempts were made to choose programs having the most identity with the 
space shuttle sortie payload situation. The driving considerations 
were these: 


• The program should be analogous to the space shuttle 
situation, especially where a payload was adapted 

to its carrier vehicle. 

• Most recent programs were studied so that up-to-date | 

technology would be considered. j 

• Unmanned space programs were studied because of the sortie pay-| 
load remote (unmanned) characteristics. 

« Aircraft research programs were studied because of their 
operational nature and similarity to the shuttle. 
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Specific attempts were made to use programs from manned and unmanned 
spaceflight as well as research aircraft programs such as the Earth Resources 
Aircraft Program (ERAP). 

Manned spaceflight programs were desired because of the direct man- 
rating aspects; unmanned programs because most frequently the payload is 
adapted to the carrier vehicle (booster), as will occur with payloads 
adapting to the shuttle. Aircraft programs are desirable because they are 
the only programs where principal investigators fly onboard and operate the 
equipment in flight, as may occur on the Shuttle Program. 

Based on these driving considerations, the following programs were 
selected for study: 


t 

Apollo Scientific Instrument 
Module Bay 


USAF Satellite Safety Criteria 



t 

USAF Manned Orbiting Laboratory 

• 

Apollo Lunar Surface 
Experiment Package 

• 

Pioneer F&6 

• 

Skylab Experiments 

• 

P&F Subsatellite 

• 

CV-990 Aircraft Research 

• 

Model 35 


Program 

% 

High Energy Astronomic 

# 

Earth Resources Aircraft 
Program 


Observatory 


2.1.3 Data Search 

Information was obtained on the programs by two basic methods: 

(1) NASA and contractor personnel who were associated with these programs i 
were interviewed, enabling the study team to obtain information pertaining 
to the early development stages of these programs where pertinent, 
detailed historical documentation was not available, and (2) current 
documentation was analyzed to obtain the required information. 

While analyzing documentation per the query statements in Table 2-1, 
safety criteria were extracted and accumulated for later use where they 
occurred. 
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2.2 CONCLUSIONS 

The conclusions reached as a result of the historical research are 
listed in Table 2-2. 

2.3 RECOMMENDATIONS 

Based on conclusions from research and analysis of the past practices, 
recommendations were made to, and accepted by, the NASA management team at 
the formal mid-term review. These recommendations affected safety criteria 
selection and categorization for use in the shuttle era. The recommenda- 
tions are presented in Table 2-3. 
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Table 2-2. Conclusions from Precedent Practices Research 



CONCLUSIONS 


JSC has evolved a comprehensive set of 
safety requirements and guidelines. These 
requirements and guidelines form a base 
from which mandatory space shuttle imposed 
requirements can be drawn. 

Safety requirements and guidelines are not 
presently accumulated into a central 
source document. 

Past and current programs have been pri- 
marily research and development in nature, 
and have levied extensive safety require- 
ments on hardware. 

Operational airborne experiment carriers 
levy significantly fewer safety require- 
ments on instrument hardware as compared 
to manned spaceflight systems. 

Present safety requirements and guidelines 
reflect a conservative research and 
development approach. If this approach 
and these requirements are utilized in the 
shuttle era, the space shuttle operational 
capability will be severely technical 
and cost constrained. 

Historically, safety in experiments was 
achieved by the safety discipline adding 
necessary safety requirements to a spec. 
All safety requirements were then treated 
as subsystem design requirements. Safety 
involvement was then required only when 
non-compliance occurred. 

Current safety efforts have been oriented 
toward more involvement. In addition to 
safety requirements, a hazard analysis and 
periodic reporting are required. 

Research to date demonstrates that only 
government equipment or instruments have 
been utilized on manned space flight. 



2-5 


AIRBORNE 

SCIENCE 









22214-H014-R0-00 


Table 2-2. Conclusions from Precedent Practices Research (Concluded) 


PROGRAM TYPE 



Flight safety requirements are crew 
oriented in vehicles. Ground safety re- 
quirements are ground personnel oriented. 

On programs to date, safety design require- 
ments have been mandatory, but requirements 
which could not be met were frequently 
waived. Efforts to comply with a require- 
ment which can not be met are expensive, as 
is the processing of a waiver. Money spent 
in both of these areas can not be re- 
covered. 

Compliance with design requirements is 
verified primarily by testing, which is the 
method of verification most used by NASA. 

Testing has been a major portion of program 
schedule and program cost. 

Testing to verify a safety requirement is 
seldom identified directly because most 
safety requirements are levied as design 
requirements. Compliance with the 
requirement is then verified as a part of 
subsystem testing. 

Overall cost can frequently be lowered by 
designing to a greater load factor than 
can be imposed, then eliminating testing 
requirements. For example, on one air- 
craft program, instrument mounts are de- 
signed for up to 9g loading with only 
analytical verification required, where 
the maximum stress which can be imposed 
by the aircraft is 3.5g. 
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Table 2-3. Recommendations from Precedent Practices Research 


RECOMMENDATIONS 

CONCLUSIONS REFERENCES 

1. A payload preliminany hazards analysis should 
be completed to insure the accumulated safety 
requirements base will contain the manda- 
tory set of requirements. 

1. 2 

2 . The safety requirements and guidelines 
base, verified by the hazard analysis, 
form the candidate criteria base which 
will be examined in this study. 

U 2 

3. Use should be made of experience gained in 
manned space programs, but a transfer from 
an R&D to a scheduled operational approach 
should be effected. 

3. 4. 5 

4. The present mandatory set of safety 
requirements should be reduced by; 

4, 5, 
9, 10 

• Use of aircraft-oriented requirements 
where the space shuttle is most similar 
to an aircraft. 


• Use of spacecraft-oriented requirements 
where the space shuttle is most similar 
to a spacecraft. 


6. Mandatory requirements for crew safety 
should be applied equally to a NASA 
procured instrument or any independent 
payload developer's instrument. 

4. 6, 7. 
8, 9 

6. The mandatory set of requirements should 
be Imposed on payload instruments. A 
mandatory set of safety requirements should 
not include functional operation success 
requirements. 

3, 5, 
9, 10 

7. Experience gained to date in space flight 
should be used to accomplish verification 
by the least expensive method v/hich will 
provide sufficient assurance of compliance. 

11. 12, 
13, 14 

B. The mandatory safety testing requirements ■ 

should not include any unnecessary testing ' 

of instrument functional capability. ' 

11. 12, 
13, 14 


EEPRODUCIBILrrY QP TE£B 
ORIGINAL PAGE IS POOR 
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3. CATEGORIZATION PROCESSES DETERMINATION 


The objective of this task in the Crew Safety Criteria Study was to use 
an analytical approach in the formulation of af methodology and associated 
rationale for distinguishing between mandatory and discretionary design 
and verification criteria for shuttle sortie payloads. 

3.1 APPROACH 

A series of analytical steps forming a logic tree was developed as 
the most objective method to determine categorization now and in the future. 
Several assumptions and guidelines form the basis of the sequential steps 
of each of the two processes; the first process to determine the category 
of a design criterion, and the second process to determine the level of 
verification required to show compliance with a particular desi.gn cri- 
terion. The basic definitions and guidelines used in addition to the 
study guidelines iterated in Section 1 are these: 


• The set of mandatory criteria which must be imoosed by 
the shuttle for crew safety is not a function of the state 
of development of the instrument. An instrument being 
designed should be required to meet exactly the same crew 
safety criteria as any other off-the-shelf or existing 
inventory instrument. 

t The definition of safety will be "hazard to the crew" 
and includes vehicle hardware damage only where crew 
safety is involved. 

• An assumption was made that all mandatory criteria 
require some form of verification, and discretionary 
criteria verification would not be mandatory. 

• The process will first examine candidate criteria to deter- 
mine that they are sortie payload crew safety criteria. 
Then, to determine that each criterion is either mandatory 
or discretionary, it is necessary to examine the severity 
of consequence of not applying the criterion. 


Both the design and the verification categorization processes, because 
of their general nature, can be used to categorize safety criteria now, and 
as further definition of payloads occur within the shuttle program, the 
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processes can be mocHfied to be more specific in nature. This modified 
process, together with guidelines representing the specific situation under 
study, allows NASA to use these categorization processes as a means of 
determining whether a particular criterion is mandatory, together with sub- 
stantiating rationale, to protect the crew from injury by malfunction of a 
payl oad. 

3.2 DESIGN PROCESS 

The objective of the design categorization process is to determine 
whether each candidate criterion is mandatory or discretionary with 
respect to crew safety. This was done by determining that the criterion 
under consideration was applicable to a sortie payload and would apply 
to crew safety. Subsequently, the result of not imposing the criteria 
is analyzed. A block-by-block discussion and analysis of the main vein of 
the Crew Safety Design Categorization process, which is presented in 
Figure 3-1, follows. 

Block 1 ♦ Is the criterion applicable to the payload class under 
consideration? 

The determination here is to determine if the criterion can be applied to 
a sortie payload. More detailed screening of each criterion involves de- 
termining whether that criterion applies to a possible subsystem of a sortie 
payload or to a subsystem which is precluded as part of a sortie payload, 
such as, propulsive system, or satellite, or tug ejection mechanism. 

Those criteria found not to apply to a sortie payload are held for separate 
delivery to NASA. 

Block 3. Does the criterion address a hazard that could endanger 
the crew? 

The determination is made here as to whether a hazard is being controlled 
which applies ultimately to crew safety or compatibility where hardware is 
being protected from other hardware. Those criteria found not to apply to 
a crew hazard were referred to the Systems Compatibility Criteria Study 
for analysis, and the categorization process continues for those which- 
apply to crew hazard. 
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Figure 3-1. Crew Safety Design Categorization Process 
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Block 5. Does the hazard fall within the stipulated guidelines? 

The guidelines under consideration influence the decision at this point. 

For Block 5> the guidelines introduced in Table 1-2 are used. In future 
uses by NASA, other stipulations may be used such as more liberal definitions 
for the credibility of hazards and/or matters of NASA policy. 

Block 7. Do uncontrolled hazards remain when this criterion is applied? 

The intent of this question is to determine if applying the criterion 
under consideration protects the crew from this hazard, or is the hazard 
only partly controlled and additional criteria required to control the 
hazard. Note that this question does not refer to other, similar hazards 
which must be controlled by other criteria. An example of the use of 
this block can be found in F-8 in Table 6-9, which requires shutting off 
air circulation in the event of a fire. Two uncontrolled hazards remain: 
no breathable atmosphere (required by E/I-18 in Table 6-4) and fire 
suppression (required by F-7 in Table 6-9). Thus, the three criteria 
together completely control the hazard. 

Block 10. Does this criterion prevent a hazardous condition which could 
cause direct injury to the crew? 

At this point in the process, it was found worthwhile to separate the 
situations where a direct payload to crew interface exists (and injury 
can be direct via this interface) from indirect injury (where damage to 
the shuttle could propagate to the crew member). This is a major branch 
in the design criteria categorization methodology. 

This branch was necessary because of distinction between the manner 
of crew injury. In the direct case, the crew/payload interface is con- 
sidered. In the indirect case, hardware damage is considered, and payload 
to vehicle interfaces are addressed using the shuttle model to determine 
the extent of possible vehicle damage which could result in crew injury. 

Block 13. What is the extent of the possible injury? 

Upon entering Block 13, we have determined that the hazard is appropriate 
for consideration and that injury to the crew member is possible. 
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In Block 13, the determination is made of the extent of injury induced 
by the payload hazard if the criterion is not imposed. Four questions are 
asked in what might be called decreasing order of seventy. These four 
questions encompass all crew injury which would be beyond the onboard 
medical capabilities and would require mission termination for medical aid. 


• Is there immediate loss of life? Immediate loss of life 
is defined as a situation where death would occur before 
the mission could be aborted. 

• Is the injury terminal? This question refers to injury 
of a sort (such as a radiation overdose) which 

would shorten the life of the crew member, but has no 
immediate physical impairment as far as the mission is 
concerned. 

• Is the injury permanent? Permanent injury is defined as 
an injury from which the crew member could not recover, 
such as loss of an eye or a limb. 

• Is the injury sufficiently serious to require termination 
of the mission in order to obtain medical aid? A major 
injury such as a broken ami, serious bleeding, or some 
physical problem could, in the judgement of the crew 

and mission control personnel, require aborting the mission 
in order to obtain medical aid. 


An affirmative answer to any one or more of these four questions is 
sufficient grounds for the criterion to be considered a mandatory design 
criterion. A negative answer to all four questions will generate a dis- 
cretionary criteria decision indicating that there may be only a minor 
crew injury which has basically no effect on the mission or lasting effect 
on the crew member(s), and is within the onboard medical capabilities. 
Assurance that a hazard would, in fact, cause minor damage or injury to 
the crew can be more easily determined during phase C and D of payload 
development, and thus has been built into the process here to make the 
process more usable in the future. 
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Block n. Is the in.iurv to the crew member immediate or delayed? 

Upon entering this block from Block 10, we have determined that a payload 
malfunction involving a crew hazard treated by a particular criterion may 
cause vehicle damage which can propagate to cause indirect crew injury. A 
distinction is made in Block 11 to determine whether this hazard, which can 
propagate to the crew, will propagate immediately or can occur after a time 
delay. The time delay is defined as sufficient for a normal mission 
termination. 

The distinction being made here is basically the same as whether 
emergency abort procedures will be used, or the crew has time to perform 
part of a mission timeline and then perform a normal deorbit and entry. 

The abort mode can involve hazardous operations which are not present in 
the delayed situation. 

Block 12. Is safe mission termination possible? 

Upon arrival at Block 12, we have determined that a hazard which can cause 
indirect, and delayed (there is time for a early mission termination) 
injury to the crew exists. Since the injury is indirect, vehicle damage 
must exist. Block 12, therefore, addresses the condition of the shuttle. 

Subset questions might be 

§ Can damage to the shuttle be such that it is aero- 
dynamical ly unstable? 

• Might the payload bay doors be damaged and cannot be 
closed? 

^ ' ' " ■ ■ ■■■ , ,, 

A negative response to the block question indicates payload damage 
to the vehicle which prevents entry, making the criterion mandatory. An 
affirmative response, indicating minor vehicle damage, leads to an assump- 
tion that delayed injury can occur to the crew as a result of the vehicle 
damage, thus, making it necessary to terminate the mission early if the 
injury is significant. The injury situations in Block 13 are again 
considered. 
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V 

3.3 VERIFICATION PROCESS DETERMINATION 

The objective of verification is to assure compliance with a parti- 
cular mandatory design criterion. Study of the five basic methods of 
verification as defined in Apollo Test Requirements {Reference 1) was 
undertaken to determine under which circumstances each type of verifi- 
cation could be considered sufficient to assure compliance. 

^ As was brought out in conclusions (Table 2-2) from the precedent 
practices research, experience obtained in spaceflight and spaceflight 
hardware construction should allow selective easing of verification 
requirements . Since the first five verification methods listed below are 
generally less costly than testing of an article, overall programmatic cost 
savings can be realized for sortie payloads if testing can be de -emphasized. 

The verification process presented in Figure 3-2 is designed to deter- 
mine, for each mandatory design criterion, the minimum method of verifi- 
cation which can be used to show compliance with the design criterion. If 
verification by a method other than testing is sufficient, then testing 
of the article to show compliance is discretionary verification to 
shuttle management. 

Block 1 . Similarity 

Perhaps the most basic method of verification is by similarity. That is, 
where a space qualified component is being used in an application similar 
to that for which it was originally designed. It has been found that 
frequently equipment verified for flight on manned aircraft (such as the 
ERAP Program) would be sufficiently qualified to allow the component to 
be considered qualified for spaceflight. An example of this would be 
vehicle -induced environment. 

Block 2 . Analysis 

Analysis may be used in situations where stress and thermal analyses are 
performed and, because of uncertainty, safety factors are frequently 
applied. Under conditions where sufficiently high safety factors are 
applied, it can be clearly shown by analysis that a hazard has been 
controlled and, therefore, actual testing is not required. 
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Figure 3-2. Verification Process 
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Block 3 . Inspection 

Frequently, verification can be achieved by inspection of a drawing to 
which the hardware will be built. This type verification is most commonly 
done at design reviews. A schematic drawing, for example, showing an 
arming circuit activated by one switch and a firing circuit activated by 
a second switch would be sufficient verification of the mandatory pyro- 
technic design criterion (ED-2) found in Section 6 of this report. 
Inspection can also include a physical examination of the article, such 
as inspection of measurements, shape, or the materials of construction. 

Block 4 . Demonstration 

Demonstration is usually restricted to verification of a man/equipment 
interface. This method of verification can be used to demonstrate that 
an astronaut can physically perform tasks such as twisting handles or 
reaching positions on equipment. 

Block 5 . Combination 

Verification by combining two or more of the previously discussed methods 
may be utilized if one method does not provide minimum acceptable 
verificati on. 

If none of the four verification methods or any combination of the 
four can provide sufficient assurance of compliance with a particular 
design criterion, then verification by testing will be required. 
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4. CANDIDATE CRITERIA DETERMINATION 

Pursuant to the study direction, NASA/JSC agreed to furnish the basic 
set of safety criteria. These were complemented by requirements accumula- 
ted during the past practices research and by a hazard analysis. 

Safety Program Directive No. 1 (Reference 2) defines a hazard reduc- 
ti on precedence seq uence which is paraphrased below: 

1) Design for minimum hazards 

2) Apply appropriate safety devices where design is incapable 
of eliminating the hazard 

3) Apply warning devices where some hazard cannot be precluded 

4) Develop special procedures to counter a hazard 

5) Identify residual hazards which cannot be eliminated 

The candidate design criteria were developed with consideration of 
this sequence. 

This study took the position that all hazards can, in effect, be 
"designed out" or controlled by the application of a safety or warning 
device. The criteria address these first three categories of the hazard 
reduction sequence. Procedural statements were rewritten wherever possible 
as design criteria rather than procedural statements. The basis for 
this position is that procedural statements should be developed only when 
it can be shown that the first three categories (all involving design) can- 
not control the hazard. This cannot be shown until design efforts have 
proven fruitless, and current shuttle payload design is in an infancy stage. 
The procedural statement was rewritten as a design criterion and retained 
to help insure that no hazards were overlooked. For the same reason, no 
residual uncontrolled hazard can yet be identified. 
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4.1 PRIMARY SOURCES 

The first conclusion of the Precedent Practices Research Phase of 
the study states that NASA/JSC does have a comprehensive set of safety 
requirements and guidelines. The primary source of data for this study 
phase was the JSC Safety Office who made available (among other documenta- 
tion) five significant safety studies (References 3 through 7) which had 
been performed for JSC, NASA Headquarters and MSFC over the period of the 
last two years. These studies, listed below, supplied a large number of 
the safety requirements and guidelines and much useful background informa- 
tion about applicabilities and constraints which were used in the Precedent 
Practices Research Phase. 

• Preliminary Hazard Analysis of Space Shuttle Payloads and 
Payload Interfaces (MSC) 

• Safety in Earth Orbit Study (NR) 

• Advanced Mission Safety Study (Hqtrs/Aerospace) 

• Systems Safety Guidelines for New Space Operations Concepts 
(MSFC/LMSC) 

• Manned Space Flight Nuclear Safety Study (MSFC/GE) 

Documentation from all of the programs and collective stand-alone NASA 
documents such as MSCM 8080 which were reviewed during the Precedent Prac- 
tices Research Phase of the study were sources of existing requirements. 

The most significant of these documents are suiranarized below (References 
8 through 13). These six documents, coupled with the referenced safety 
st udies, supplied virtually a complete set of requirements and guidelines. 

• Manned Spacecraft Criteria and Standards (MSCM 8080) ' 

• Space Flight Hazards Catalog 

• Space Vehicle Design Criteria Manual 

• Radiation Protection Guidelines and Constraints for Space- 
Mission and Vehicle-Design Studies Involving Nuclear Systems 

• Standard Satellite System Safety Design Criteria 

• System Safety Design Handbook 
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All of the sources reviewed represent past and current safety 
practices and supplied existing requirements. These requirements needed 
to be modulated by the most current shuttle design information. The 
shuttle model used was supplied by JSC as was Space Shuttle Baseline 
Accommodations for Payloads {Reference 14). 

4.2 APPLICABLE HAZARD AREAS 


The following twelve hazard areas stem from the traditional hazard 
areas listed in the Safety Program Directive No. 1 (Reference 2), as appli 
cable to this study, falling within the study boundaries and guidelines. 


t Explosive Devices 

• Energy Source Isolation 

• Materials Compatibility 

• Ionizing Radiation (including 
Nuclear Device Considerations) 

• Fuels and Oxidizers 
Considerations 

f Pressure Vessels 


• Electrical Shock 

• EVA/IVA 

t Contamination (including 
Toxicity) 

• Fire 

t Systems Interactions 

• Structural 


The following hazard categories were not addressed because these 
categories are either outside the scope of the study (as defined in Section 
1) or are not applicable to sortie payload hardware. 


• Crashworthiness • Docking considerations 

• Documentation for sole opera- • Long term storage 
tion and maintenance 

• Human factors 

f Training and certification 


• Engress, rescue, survival 
and salvage 

4.3 CRITERIA SYNTHESIS 


The initial accumulation of candidate safety requirements and guide- 
lines involved extracting each statement found in all documents reviewed, 
with no regard for redundancy or non-applicability. The statements were 
then sorted by hazard area and those found to be clearly not applicable 
to any sortie payload hazard area were eliminated. 
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Nearly 600 candidate criteria were grouped into the 12 applicable 
hazard areas and by a process of grouping within each hazard area of simi- 
lar statements allowed the groupings of similar statements to subsequently 
be synthesized into one criterion statement. A criterion which is synthe- 
sized from a group of requirements and guidelines is more general in nature 
than any one specific design requirement, and is encompassing of the intent 
of all of the separate requirements and guidelines from which it is com- 
posed. 

During the course of this period of criteria management, the first 
two steps of the design categorization process were completed. Criteria 
found not applicable to sortie payloads or not applicable to crew safety 
(pursuant to the study definition) were removed and either filed as not 
applicable or included in the Compatibility Study for consideration (see 
Volume III of this report). Likewise, safety criteria were received from 
the criteria management effort of the Compatibility Study. The resulting 
criteria which were subsequently taken through the process were thereby 
reduced to the 132 statements which are included in Section 6 of this 
report. 

Those "duplicate" and "not applicable" criteria statements which 
were removed from further consideration have been retained in separate 
files and will be delivered to NASA/JSC under separate cover from this 
report. These criteria represent a comprehensive compilation which 
will be useful to JSC in other safety work. 
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5. HAZARD ANALYSIS 

The main purpose of the hazard analysis was to generate a capability 
to cross-check the crew safety design criteria population to insure that all 
known hazards which could occur on a sortie payload were treated by the 
criteria. The hazard analysis was performed as a separate effort to the 
accumulation of candidate criteria, with no interchange. In this manner, 
objectivity of the hazard analysis is insured. 

5.1 ASSUMPTIONS AND LIMITATIONS 

The scope of this hazard analysis was broad, thereby necessarily 
yielding an analysis general in nature. Even though general, the analysis 
served the useful purpose of defining the scope of the types of hazards 
that might be found aboard sortie payloads. As new experiments are defined, 
it is possible that additional specific hazards will be considered. 

The basic guidelines of the study were used as boundaries for the 
hazard analysis. For example, the time limit boundary basically excludes 
GSE and ground activities from consideration, and the definition of sortie 
payload eliminates some subsystems from consideration. 

In general, only events or conditions that are inherently dangerous 
in themselves were considered. If design of device A is influenced so 
that a hazard cannot occur, then malfunction of other equipment can still 
not cause that hazard to occur on Device A. Events or conditions were 
not analyzed if: 

• Death or injury could be caused by secondary effects 
such as a laser radiating energy on a pressure vessel 
causing it to explode, thereby destroying the orbiter. 

Pressure vessel design criteria should preclude the 
explosion, by relief techniques, thermal control, etc. 

t Death or injury could be caused by out-of-sequence 
operations, false signals, or failure of system hard- 
ware when specific definition of system hardware design 
is required to determine the effect of the failure. 

The twelve applicable hazard areas for this study were used as guide- 
lines, but pursuant to the nature of any hazard analysis, these guidelines 
were not limiting or binding. 
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5.2 GENERALIZED SORTIE PAYLOAD 

At present, a complete sortie payload does not exist upon which a 
hazard analysis could be performed. Additionally, analysis of any given 
sortie payload would not insure a complete analysis, as no one payload 
will have every conceivable subsystem or material which the analysis must 
treat. 

The basis for this hazard analysis was, therefore, a generalized 
sortie payload concept generated to represent all hardware subsystems 
which can occur as part of a sortie payload, and to list considerations or 
types of conditions which can occur on the sortie payload (such as an 
experiment containing microbes). 

The generalized sortie payload subsystems and considerations are pre- 
sented in Table 5-1. 

5.3 ANALYSIS 

The analysis followed the outline of the Generalized Sortie Payload, 
and therefore. Table 5-1 can be used as an index to the overall hazard 
analysis output. 

The first step in the performance of the hazard analysis was to gather 
information relating to shuttle sortie payloads, the materials for con- 
struction, and known hazards involved in instruments and materials which 
compose these payloads. Data were gathered from applicable documentation 
(References 4, 13, 14, and 15). 

The next step of the hazard analysis was to identify, from among the 
materials, subsystems, and particular equipment, identifiable mechanisms for 
energy release. Associated with each of these energy release mechanisms 
are one or more hazards, which are identified and listed as a subset of 
the release mechanism classification. The entire output of the analysis 
is presented in Table 5-2. 

In the later comparison between the hazards identified and the cate- 
gorized criteria, five hazards were found to exist for which there were 
no criteria. Applicable criteria were generated and categorized. 


Table 5-1. Generalized Sortie Payload Subsystems and Considerations 


oi 

CO 


1.0 MATERIAL 

1.1 

Metal 

1.2 

Plastic 

1.3 

Composite 

Material 

2.0 MECHANICAL 

2.1 

Hatch 

2.2 

Structures 

2.3 

Cryogenic Cooler 

2.4 

Extendable Booms 

2.5 

Antenna 

2.6 

Gyros 

2.7 

Shields 

2.8 

Hydraul ics 

3.0 CONTROLS & DISPLAYS 

3.1 

Control Stimuli 

3.2 

Display 

Responses 

3.3 

Computer 

Operations 


4.0 THERMAL 


4.1 

Conduction 

4.2 

Liquid Loop/ 
Cold Plate 

4.3 

Heaters 

4.4 

Insulation 

4.5 

Radiation 

PNEUMATICS 

5.1 

Pressure 

Vessels 

5.2 

Extending 

Mechanisms 

5.3 

Valves & Lines 

5.4 

Compressor 


6.0 ENERGY SOURCES 
(Also Generatinn 
Equipment Considered) 

6.1 X-Ray 

6.2 Magnetic Flux 
(EMI) 

6.3 Radio Frequency 
(RF) 

6.4 Payload Gener- 
ated Nuclear 
Particles 

6.5 Laser 


7.0 INSTRUMENTS 



7.1 

Data Circuitry 


7.2 

Transducers 


7.3 

Electrical 



Instruments 

8.0 

AGENTS 


8.1 

Reagents 


8.2 

Pathogens 


8.3 

Fuels & 



Oxidizers 


8.4 

Fluids X Gases 


8.5 

Corrosive 



Fluids 

9.0 

POINTING/AIMING 


9.1 

Gimbal led 



Platforms 

10.0 

PYROTECHNICS 


10.1 Pyrotechnics 


11.0 

ELECTRICAL/ELECTRONIC 


11.1 

Power Circuitry 


11.2 

Batteries 


11 .3 

Power Supplies 
(AC A DC) 

« . 

11 .4 

RF Transmitters 

12.0 

CREW 

INVOLVEMENT 


12.1 

EVA/IVA 


12.2 

Control Dis- 
play Interface 


12.3 

Di rect 
Operation 

13.0 

ENVIRONMENT 


13.1 

Pressure 


13.2 

Vibration 


13.3 

Acceleration 


13.4 

Thermal 


13.5 

Humidity 


13.6 

Acoustical 


13.7 

Gravity 


13.8 

Natural 

Radiation 


13.9 

Contamination 


13.10 

Meteoroid 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis 


CATEGORY 


1.0 MATERIAL 
1.1 Metal 


1.2 Plastic 


1 . 3 Compos i te 
Material 


2.0 MECHANICAL 
2.1 Hatch 




2.2 Structures 


2.3 Cryogenic 
Cooler 


SUBSYSTEM DESCRIPTION 


Magnesium 
AT umi num 
Beryllium 
Steel 
Copper 

Lithium Floride 
Mercury 
Potassium 
Binary Hafnium 
Compound 

Potassium Sodium 
Niobate 

Gallium Arseni te 
Alumina 


Teflon 

Fiberglas 

Urethane 


Wood 
Cerami c 

Carbon Filament 
Asbestos 


Hatch 


Payload Structure 


Cryogenic Cooler 


HAZARD TO CREW 


• Toxic metal 

t Fragile metal, unexpected structural failure 
f Material at high temperature, metal ignition 
f Flammable metal 

• Radioactive 


t Toxic plastic 
t Fragile plastic 
• Combustible plastic 


• Combustible material 

• Fragile material 

• Toxic material 


Failure of hatch to function 
Sharp edges on hatch 
Hatch opens inadvertently 
Kinetic energy of hatch when being opened 
Crack occurs in hatch and causes decompression 
Hatch too small in diameter limiting personnel 
flow during regular and emergency egress 
Failure of expandable hatchway 


Structure fails due to fatigue or stress, equip- 
ment becomes a projectile 
Sharp edges 

Caught in structure (EVA activities) 

Prestressed members (stored energy) 

Bending of structure (whipping action) 
Interference with deploying structure 


Cryogenic fluid leakage (suffocation) 

Cryogenic fluid boil off (venting) not occurring 

properly 

Tank burst 

Material exposed to cryogenic fluid (material 
may burn with LDX) 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Continued) 


CATEGORY 

SUBSYSTEM DESCRIPTION 

HAZARD TO CREW 

2.0 MECHANICAL 




(Continued) 




2,4 

Extendable 

Extendable Booms for 

• 

Stored mechanical energy 


Booms 

Ion Collector 

• 

Sharp edges 



Target 

• 

Rate of movement (kinetic energy) 




• 

Bending of boom (whipping action) 




t 

Stowing of boom 



Extendable Antenna 

f 

Inadvertent release 



Telescopic Boom 

« 

Physical Interference with critical system 

2,5 

Antenna 

Extendable Antenna 

EVA Activities 




• 

Sharp Vdges 




f 

Radiating energy 



"Sunflower" Antenna 

1 EVA Activities I 




• 

Bending of structure 




t 

Stored energy 




• 

Deployment 




• 

Inadvertent release 




• 

Rate of movement (kinetic energy) 




• 

Physical interference with critical system 

2.6 

Gyros 

Control Moment Gyros 

• 

Rotating parts (kinetic energy) 




• 

Electrical shock 




• 

Damping fluids leakage (if toxic or flammable 
fluid used) 




• 

Implosion (vacuum container) 

2.7 

Shields 

Radiation Shields 

• 

Radiation 



Mechanical Shields 

• 

Sharp edges 



Heat Shields 
Meteorite Absorbing 

t 

Asbestos shields 



Shields 

• 

Failure of shield 

2.8 

Hydraulics 

Hydraulic System 

• 

Failure of components (bursting) 




• 

Moving and rotating parts (kinetic energy) 




• 

Ignition of flammable hydraulic fluid 

3.0 CONTROLS & DISPLAYS 




3.1 

Control Stimuli 

Computer Output 
Control Circuit 

• 

Electrical shock 



Manual Command 

• 

Toxic material such as use of selenium rectifier 

3.2 

Display 

Response 

A1 arms 
Lights 

• 

Display malfunction 



Cathode Ray Tube 

• 

X~Ray production 

3.3 

Computer 

Computer Process 

« 

Shock hazard 


Operations 


• 

Failure of support, equipment becomes a projectile 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Tontinued) 


CATEGORY 

SUBSYSTEM DESCRIPTION 

HAZARD TO CREW 

4.0 

THERMAL 





4.1 

Conduction 

Resistance Furnace 

t 

Resistance heated furnace (1600®C achievable) 




Oxygen Chamber Furnace 

• 

Oxygen chamber furnace (3200°C achievable) 





• 

Failure of conducting element, hot metal spewage 




Thermal Electric 






Chiller 

• 

Metals used are toxic 


4.2 

Liquid Loop/ 

Thermal Control 

t 

Line rupture 



Cold Plate 

Subsystem 

» 

Flammable fluids Ignition 





• 

Toxic fluids 





• 

Touch hazard, low temperature 


4.3 

Heaters 

Heater Systems 

• 

Electrical shock 





• 

Touch hazard 





« 

High temperatures 


4.4 

Insulation 

Firewall 
Heat Insulator 

• 

Toxic outqassinq from insulator 


4.5 

Radiation 

Quartz Tube Furnace 

• 

Touch temp (300®C) 




Induction Furnace 

• 

Touch temp {1600°C - 2500“ C) 





• 

Plasma electron beam unit (heating) 

5.0 

PNEUMATICS 





5.1 

Pressure 

Heater Systems 

• 

Pressure vessel or instrument ruptures, shrapnel 



Vessels 

Refrigeration Systems 


may result 




Cryogenic Systems 


Pressure leakage possibly causing structural 




Pressurized Containers 


limits in the cargo hay to be exceeded 




Pressurized Instruments 

• 

Leakage of flammahle fluids and gases may cause 
explosion or fires 





• 

Pressurized vessel or instrument with toxic out- 
gassing 





• 

Permeability of container 





|« 

Leaking or release of toxic fluids and gases 


5.2 

Extending 

Telescopic Boom 

i 

' • 

Sharp edges 



Mechanisms 


• 

Rupture of pressurized portion of boom 





• 

Kinetic energy 




Rotary -Motion Boom 

• 

Hardware interfaces, individual caught between 
two items moving relative to each other 





■ 

Gas leaks from pressurized portion of the boom, 
gas may be flammable or explosive, boom may be 
immobilized 




Bellows Type Boom 

f 

Toxic gases leaking from pressurized portion of 
the boom 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Continued) 


CATEGORY 


SUBSYSTEM DESCRIPTION 


HAZARD TO CREW 


5.0 PNEUMATICS 


5.3 Valves & Lines Cabin Pressurization 
Pressure Vessel 


• Rupture of valve 

• Leakage (internal and external) 

• Line rupture 

• Kinetic energy of whipping hoses or line 

• Pressure outlet of gas gun 


5,4 Compressor 


Compressor System 


• Compressor rupture 

• Fire in compressor caused by Ignition of all 
vapors 

• Leaks 

• Escaping gases vented into wrong space 


6.0 ENERGY SOURCES 
( A1 so Generating 
Equipment Considered) 

6J X-Ray 


X-Ray Source 


X-Ray radiation (voltage over 15KV) 


Radioactive Material • Shock hazard 

• Radioactive material (approx. 5 microcuries) 


6,2 Magnetic Flux 
(EMI) 


Induction Heating Unit • Loose objects In Induction unit 

Induction Positioning # RF radiation 
Device 


Super Conductor 
Magnet 


• Uncontrolled cryogenic release 
t Electrical shock 

• Sharp edges 

• EMI on other system 


6.3 Radio Frequency Communi cation System t Electromagnetic Field 
(RF) 

R.F. Oven • Heating effects 

• Shock hazard 


6,4 Payload 
Generated 


Radioisotope Power 
Generator 

Radioisotope 

Calibrator 


• Radioactive source 

6 High external temperature 

• Ionizing radiation 

« Resistance load bank (high temperature) 


6.5 Laser 


Laser Operation 


Noise 

Exploding components 
Brilliant light 
IR & UV radiation 
X-Ray 
Cryogens 

Concentrated energy 
Gases 

High voltage 

Heat of laser generator 

Laser beam Impingement on other equipment 

Beam impingement on personnel or population 


5 - 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Continued) 


CATEGORY 


SUBSYSTEM DESCRIPTION 


HAZARD TO CREW 


7.0 INSTRUMENTS 

7 Data Circuitry 


Telemetry 
Instrumentation 
(Transducer 
Circui ts) 

Data Processing 
Circuits 


f Electrical shock 

t Toxic materials (selenium rectifiers) 
• Outoassinq materials. 


7.2 Transducers 


Pressure 

Temperature 

Vibration 

Humidity 

Smoke 

Fire 

Combustible 

Gases 

Shock 

Accelerometer 
Geiger Counter 
Photometer 
Strain Gauges 
Fatigue Gauges 


• Radiation source in transducer 

• Hazardous chemicals 

• Flectrical shock 


7.3 Electrical 
Instruments 


Electron Microscope 
Radiometer 
A1 timeter 
Cameras 

Dosimeter (Active) 

Interferometer 

Lasers 

Life Sciences 
Packages 

Materials Processing 
Packages 

Optical Telescopes 
Photometers 
Radiometer 
Scanners 
Scatterometer 
Specimens (Exposure) 
Spectrometers 
Terrain Sounder 
X-Ray Telescope 


« Toxic gas 

• Electrical shock 

• X-Ra.v radiation (voltage over 15K\M 


8.0 AGENTS 


8.1 Reagents 


Fuel Cell System 


• Release of barium oxide 
« Release of potassium 


8.2 Pathogens Microbiological _ • Ingestion of pathogens 

Experiment Operation • Skin contamination with Pathogens 

Types of Pathogens : 


• Argobacterium 

• Tumerfaciens 

• Pathogenic and highly toxic materials used in 
electronhoretic separation 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Continued) 


CATEGORY 

SUBSYSTEM DESCRIPTION 

HAZARD TO CREW 

8.0 

agents 





(Continued) 





8.3 Fuels Si 

Fuel Cell System 

• 

LOX and LHo reaction (explosive combination) 


Oxidizers 


• 

LOX leakage (oeculiar dangerous pronerties) 




• 

GOX leakage (oecul iar dangerous orooerties) 




t 

LHg Iqnition (fire not visible) 


8.4 Fluids A Gases 

Cryogenic Cooler Fluid 

• 

LN2 leakage not detected (suffocation) 



(LN2) 

• 

N2-02 mixture changes 




• 

LHe 



Work Bay Pressurize 

• 

LNe 



Vessels 

• 

Ammonia, Iodide Cyanide 




• 

Carbon tetra fluoride, paraffin hydrocarbon 




• 

Iodide Cyanide 




• 

Nitrogen Oxides 




• 

Oiborane 




• 

Freon 




• 

Formaldehyde 




• 

Carbides 


8.5 Corrosive 

Cooling System 

f 

Liquid oxvaen 


Fluids 


• 

Gaseous oxygen 




f 

Liquid hydrogen 



Battery 

f 

Battery electrolyte 

9,0 

POINTING/AIMING 





9,1 Gtmballed 

Telescope Gimbal 

• 

Rate of movement (kinetic energy) 


Platforms 


• 

Sham edges and corners 




' « 

Failure of gimbal stons 

10.0 

PYROTECHNICS 





10.1 Pyrotechnics 

Pyro Operation 

• 

Sound level 




• 

Outgasses 




• 

Explosion 

11,0 

ELECTRICAL/ 





ELECTRONIC 





11.1 Power 

Power Hookuo Between 

• 

Static electricity 


Circuitry 

Interface Equipment 

• 

Fires 




• 

Insulation outoassinn 




• 

Explosion of component 




• 

Discharge of capacitor 





Heat dissipation 


11.2 Batteries 

Silver Zinc Battery 

• 

Caustic electrolyte 



Nickel -Cadmium Battery 

• 

Sparks 




• 

Explosion 




• 

Electrical shock 




f 

Fires 




• 

Leakage of GOX and gaseous hydrogen 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Continued) 


CATEGORY 

SUBSySTEH DESCRIPTION 

HAZARD TO CREW 

n.o 

ELECTRICAL/ 

ELECTRONIC 

(Continued) 





11.3 Power Supplies 

Power Supply Operation 

• 

Exposed low voltane or hicfh voltane leads 


(AC & DC) 

• 

Sparks 




• 

X-Ray from 15KV source 




• 

Corona effect 




• 

Toxic qas or material in tube 




• 

Hardware failure 


11.4 RF 

Operation 

• 

Electrical shock hazard 


Transmitters 


• 

Fire hazard 




• 

Spark inq 




« 

Capacitor explosion 




• 

Radiation damaqe 

12.0 

CREW INVOLVEMENT 





12.1 EVA/IVA 

Crewman 

• 

Lack of control of movinq mass 




• 

Sharp edges, corners, and rough surfaces 




• 

See low-qravity hazards (?3.7) 


12.2 Control and 

Control Console 

• 

See low gravity hazards (13.7) 


Display 

Interface 


• 

Sharo edges and proiection 


12.3 Direct 

Payload 

• 

Manual mode operation 


Operation 


• 

Fatigue 

13.0 

ENVIRONMENT 





13.1 Pressure 

Pressure Vessel 


Pressure loss 



Payload Lab 

• 

Sudden pressure change 




a 

Vacuum 


13.2 Vibration 

Structure 

• 

Excessive vibration 




• 

Structural failure 




• 

Equipment failure 


13.3 Acceleration 

Structure 


Excessive shock 




• 

Excessive acceleration 




• 

nirection change 


13.4 Thermal 

Equipment 

• 

High temperature 




• 

Low temperature 




• 

Excessive temperature change 


13.5 Humidity 

Payload Laboratory 

• 

Lack of humidity 


13.6 Acoustical 

\ 

Payload Laboratory 

• 

Excessive noise 
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Table 5-2. Preliminary Sortie Payload Hazard Analysis (Concluded) 


CATEGORY 


SUBSYSTEM DESCRIPTION 


HAZARD TO CREW 


13.0 ENVIRONMENT 


Itontinued; 
13.7 Gravity 


Equipment 


• Lack of familiarity of low qravity effects 
t Inability to control mass 

• Effect on human anatomy 
« Tumbling 


13.8 Natural 
Radiation 


Thermal 

Galactic Cosmic 
Radiation 
Van Allen Belt - 
Electron & Proton 
Ionizing Radiation 
Solar Flare Proton 
Burst 

Garma Rays 
Ultra-Violet 


• Overdose 


13.9 Contamination Equipment 


Experiments with contaminants 
Mlcrobioloqlcal 1y and bacterioToqically con- 
taminating waste material 
Oxidizing environment 
Lack of cleanliness 
Outqassinq 

Long term Inhalation of non-toxic material 


13.10 Meteoroids 


Meteoroids 


• Toxic material 

• Radioactive material 

• Cabin pressure loss 
t Structural damage 
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6. CREW SAFETY DESIGN AND VERIFICATION CRITERIA 

The results of the categorization processing of the criteria are a 
set of minimum, mandatory and discretionary criteria which are presented 
in this section. A summary presentation of all criteria in each hazard 
area is given in Table 6-1. A total of 108 mandatory and 24 discretionary 
criteria are listed in the following tables; 


Hazard Area 

Table 

mu 

D 

• Explosive Devices 

6-2 

9 

1 

• Electric Shock 

6-3 

3 

— 

• Energy Source Isolation 

6-4 

15 

6 

• EVA/IVA 

6-5 

20 

2 

• Materials Compatibility 

6-6 

4 

— 

• Ionizing Radiation * 

6-7 

13 

4 

• Contamination/Toxicity 

6-8 

9 

— 

• Fire 

6-9 

8 

1 

• Fuels and Oxidizers 

6-10 

2 

— 

• Pressure Vessels 

6-11 

14 

8 

• Structural 

6-12 

6 

2 

• Systems Interaction 

6-13 

5 

— 


♦Includes nuclear devices 


These criteria are the primary result of the Crew Safety Study. These 
criteria represent the essence of the minimum mandatory criteria required 
to insure crew safety with the sortie payloads. Those discretionary cri- 
teria included represent a partial listing of discretionary design criteria. 
Per the Study Scope, pure "hardware safety" where there was no crew impact 
was a subject of the compatibility study. (See Volume III of this report). 

6.1 DESIGN CRITERIA 

The design criteria presented in the first column of Tables 6-2 
through 6-13 are written in a form which includes a statement of the 
hazard being controlled. 
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Table 6-1. Crew Safety Design Criteria Summary 


EXPLOSIVE DEVICES 

(10) 

ELECTRIC SHOCK 

(3) 

ENERGY SOURCE ISOLATION 

(21) 

• Inadvertent firing 

3M. - 

• 

High Voltages 

IM, - 

• Batteries 

IM - 

• Misfire 

4M, ID 

• 

Isolation, Grounding 

2M, — 

• Short-Circuit Protection 

6M.1D 

• Device Size 

IM, — 




• Overload Protection 

2M,1D 

• Byproduct Containment 

IM, - 




• Open-Circuit Protection 

-,2D 






• EMI 

1M,2D 






• Arcing 

IM,- 






• Redundancy 

IM,- 






• Safing Mechanisms 

3M,— 






• Thermal Extremes 

— ,2D 






• Contamination 

_^1D 

EVA/IVA 

(22) 

MATERIALS COMPATIBILITY. 

(4) 

IONIZING RADIATION 

(17) 




(INCLUDES NUCLEAR DEVICES) 


• Thermal Extreme 

IM.- 

i 

Galvanic Corrosion 

IM, — 

• Containment 

IM, - 

» Inadvertent Actuation 

3M,- 

• 

Stress 

IM, - 

• Activation 

-, ID 

• Handling 

3M,— 


Incompatible Materials 

IM, - 

• Cooling 

IM. - 

• Leak Detection 

IM,— 

• 

Oxidizing or Insulating IM, — 

• Coolant Leaks 

2M, - 

• Safing 

2M,— 




• Fire 

IM, — 

• Failure Identification 

IM,- 




• Radiation 

3M, — 

• Restraint/Tethers 

2H.1D 




• Monitor/Control 

3M. - 

ff Lighting 

IM,- 




• Jettison/Recovery 

IM, 3D 

• Isolation Protection 

2M,- 




• Decontamination 

IH, — 

• Containment 

2M,1D 






• Emergency Life Support 

IM,- 






• Sound Pressure Level 

IM,.- 







M = MANDATORY D = DISCRETIONARY 
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Table 6-1. Crew Safety Design Criteria Summary (Concluded) 


CONTAM I NATION/TOXICITY (9) 

FIRE (9) 

FUELS A OXIDIZERS (2) 

• Leak/Spill Prevention 2M, — 

& Detection 

• Gas/Vapor Generation IM, -- 

i Isolation 2M, -- 

• Outgassing IM, -- 

• Particulates IM, -- 

t Micro- Biology 2M, — 

• Source Limiting IM, — 

• Self Extinguishing IM,— 

• High Temp. Isolation IM, ID 

• Open Flame 2M, — 

• Suppression 3M, — 

• Leak/Vent IM, — 

• Cleanliness IM, -- 

PRESSURE VESSELS (22) 

STRUCTURAL (8) 

SYSTEMS INTERACTIONS (5) 

• Relief Capability 5M, ID 

• Fastening IM, -- 

• Quick Disconnect ID 

t Valves IM, — 

• Pressure Integrity 5M, 5D 

• Monitoring IM, -- 

• Dumping' IM, -- 

• Overpressure — , ID 

t Fragmentation IM, — 

• Manned Volume Walls — , id 

• Extension/Jettison IM, ID 

f Securing 2M, — 

• Container Integrity IM, — 

• Meteoroid Environment IM, — 

• Monitoring/Control 5M, — 


M = MANDATORY D = DISCRETIONARY 
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The rationale for the desipn criteria is basically a rendition of how 
the criteria moved through the categorization process to become either 
mandatory or discretionary. Many of the hazards being treated can cause, 
for example, an injury which will be either immediate or delayed. This 
has been included, wherever possible, to lend strength to the need for im- 
posing the criteria. This feature will allow some easing of the difficulty 
of reconsideration of the criteria during later design phases of payloads. 

6.2 VERIFICATION CRITERIA 

In the Tables 6-2 through 6-12, the verification column presents the 
lowest cost level of verification considered appropriate to demonstrate 
compliance with that particular design criterion to shuttle management. 

The rationale which substantiates the statement is contained within the 
verification process (see Section 3.3). 

6.3 CRITERIA LIMITATIONS 

It has been pointed out that these sets of criteria are restricted 
to apply within the boundaries and guidelines of this study to sortie pay- 
loads. Additional clarification to the user is included here. 

6.3.1 Critical 

The definition of safety, as used in this study, addresses crew 
safety. Hardware safety is not included except where propagation of a 
hardware hazard could impact crew safety. As a result, frequently a 
criteria statement includes the word "....critical....". A critical 
system or device is one necessary for the crew's safety such as a pyro- 
technic which must fire to release a hazardous device, or the environment 
control/life support system in a manned pressurized payload. 

6.3.2 Ionizing Radiation 

The criteria included in this section are expected to be applied to 
radioactive or ionizing sources which, in the judgement of NASA/JSC 
offices, have significant activity. 
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6.4 SUBSYSTEMS CROSS REFERENCE 

While in many cases safety criteria are best presented by hazard area, 
safety criteria are most useful to a specification writer or a hardware 
designer when presented by subsystems. Therefore, Table 6-14 presents a 
cross reference from the hazard area to hardware subsystems identified by 
NASA. In Table 6-14, each criterion number is listed under the heading of 
all subsystems to which it applies. 
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Table 6-2. Explosive Device (ED) Criteria 



DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

1 MANDATORY 

ED-1 . Pyrotechnic devices must 
not be susceptible to inadvertent, 
untimely ignition caused by elec- 
trostatic charge buildup; the EMI 
environment of the shuttle vehicle 
and launch areas; or transient 
ground currents, wherever that 
Ignition can cause shuttle damage 
or crew injury. 

Untimely initiation of a pyrotechnic device could 
cause damage to the shuttle vehicle (such as the 
payload bay doors) of sufficient severity to en- 
danger the crew. Immediate injury is possible if 
the device detonates while the vehicle is on the 
pad or in periods of high acceleration, or if a 
pyrotechnic within the manned module detonated at 
an inopportune time. Delayed injury would likely 
occur if the device detonates while In orbit. The 
crew injury would occur either durinq entry, or 
because entry is not possible. The criterion is 
therefore mandatory- Shielding, circuit design 
techniques, and use of already qualified devices 
are standard practice. 

Test 

ED-2, A minimum of two discrete 
and separate events must be 
required to initiate a pyro- 
technic to preclude accidental 
firing by a crew member. 

1 

This is a credible situation, considering the 
variety of payloads and quick turn-around, and the 
inexperience of a possible passenger/P.I . The 
hazard would normally be indirect 1n nature, where 
the pyrotechnic damages the vehicle, causing de- 
layed injury due to possible inability to safely 
terminate the mission. The hazard could also cause 
direct serious injury or loss of life where a crew 
member was nearby (EVA or a pyrotechnic within the 
manned volume). The criterion is mandatory. These 
events may be accomplished by crew actions, logic 
circuits, or software. 

Inspection 

ED-3. Power circuits must be 
separated from pyrotechnic cir- 
cuits. A power circuit adjacent 
to a pyrotechnic circuit can pro- 
vide an inadvertent ignition 
source via induction or a short 
circuit. 

Inadvertent or untimely ignition of a pyrotechnic 
could cause vehicle damage sufficient to prevent 
re-entry (in the case of payload bay door damage). 
Immediate injury or loss of life is also possible 
in the case of cabin damaqe by a released object. 
The criterion is therefore mandatory. Separation 
can be accomplished by shielding within a harness, 
or by use of a separate wiring harness. 

Inspection 

ED-A. To preclude misfire, 
critical explosive trains must 
meet existing requirements for 
electrical termination, bonding 
to the surface to be severed and 
sealing against vacuum. 

This credible crew hazard (misfire) is controlled 
by this criterion. This hazard can produce in- 
direct injury to the crew by: a) immediate injury 
because of failing to jettison a hazardous device; 
b) delayed injury because of inability to safely 
terminate the mission (such as inability to close 
the payload bay doors). In either case, the 
criterion is mandatory. 

Inspection 

ED-5, If pyrotechnic batteries 
are used, critical pyrotechnic 
logic circuits must receive power 
from a source other than pyro- 
technic batteries. The logic 
circuits power consumption can 
cause low voltage and misfire. 

Inability to fire a critical pyrotechnic device can 
cause an unsafe condition for the crew. This is a 
credible crew hazard, which is controlled this 

criterion. Indirect* delayed injury as a result of 
not being able to safely terminate the mission can 
occur if this criterion is not applied. The 
criterion is therefore mandatory. 

Inspection 
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Table 6-2. Explosive Device (ED) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 


E_D-6. Critical pyrotechnic de- 
vTceF must have redundant charges 
initiators, and logic circuits, 
such that failure of a single 
circuit does not preclude the 
essential operation. 

A credible hazard of misfire is controlled by this 
criterion. Indirect injury could occur to the 
crew if this criterion is not imposed: a) imme- 

diate serious injury could occur if a hazardous 
item could not be jettisoned; b) delayed injury 
could occur as a result of an inability to jettison 
a payload, making safe mission termination impossi- 
ble. In either case, the criterion is mandatory. 

Inspection 

ED-7. To insure firino of other 
pyrotechnic devices in parallel, 
the design of pyrotechnic cir^ 
cults must prevent constant power 
drain in the event the device 
short-circui ts upon activation. 

A credible misfire hazard is controlled by this 
criterion, which prevents a short circuit low- 
yoltage situation. Indirect crew injury can occur 
if this hazard is not controlled by: a) inability 
to jettison a hazardous item causing immediate 
injury, b) delayed injury occurring from inability 
to safely terminate the mission because of in- 
ability to jettison an item. In either case, the 
criterion is mandatory. Standard desinn includes 
a fusistor in the power lead to the initiator. 

Inspection 

ED-8. Explosive charges such as 
critical guillotine cutters and 
other charges must be selected to 
perform the required job with a 
minimum charge. Devices must be 
capable of performing the required 
job under worst case conditions 
with TBD margin of safety. Sizing 
requirements are to minimize over- 
blast, but assure a complete 
jettison. 

A credible crew hazard Is controlled by this 
criterion. Were this hazard to occur, indirect 
crew injury could occur: a) delayed, by prevention 
of safe mission termination (an item hanging by a 
harness loose in the payload bay); and, b) inTnedi- 
ate, by failing tov remove a hazard (unstable 
reactor) and the crew being affected by the 
hazard. In either case, the criterion is mandatory, 

Similari ty/Test 

ED-9, Pyrotechnic exhaust oro- 

A credible contamination/fire hazard is controlled 
by this criterion. Indirect crew injury could 
occur from a fire in the payload bay (or manned 
volume) immediately, from fire propagation. Direct 
Injury could occur within the manned volume from 
blast effect. The criterion is mandatory. 

Similari ty/Test 

ducts must be contained or con- 
trolled to prevent ignition of 
peripheral combustibles or con- 
tamination of other subsystems, 
or direct crew injury. 

1 DISCRETIONARY 


ED-lOa, To insure probability of 

Lack of electrical power to fire a pyrotechnic de- 
vice at the required time can cause a serious 
hazard, resulting In at least delayed crew injury. 
However, the source of the electrical power to fire 
the pyrotechnic device is In itself the subject of 
a cost/benefit trade. In the case of a payload . 
adding a dedicated battery for its associated 
pyrotechnics, using the redundant shuttle to pay- 
load power may be more feasible as well as safer 
because of a higher reliability on the orbiter 
than a supplemental battery. The dedicated source, 
then, does not eliminate a credible hazard. The 
criterion is discretionary. 


ignition, critical pyrotechnic 
control devices must be provided 
with a dedicated power source. 

— 
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p-tOb- Pyrotechnic systems must 
have a floatinq ground to help in 
the protection of devices from 
inadvertent detonation due to 
vehicle EPS transients, ground 
currents, and EMI if they have a 
dedicated power source. 


DISCRETIONARY 


Current mandatory requirements are written to re- 
quire a pyrotechnic to be unaffected by EPS trans- 
ients, ground currents and EMI surrounding the 
pyro. This criteria then is a redundancy measure, 
and though desirable, the removal of this criteria 
cannot cause an injurious situation to the crew. 
However, if ED-lOa is applied, then this criterion 
is mandatory to isolate the shuttle sources from 
the dedicated sources, and therefore prevent in- 
advertent firing via "sneak-circuits" resulting 
from short circuits within the systems. The 
criterion is discretionary. 
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Table 6-3. Electrical Shock (ES) Criteria 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 


ES-1 , Payload equipment having 
higli voltage (>TBD volts) com- 
ponents must be designed to pre- 
vent a crew member from coming 
into physical contact with the 
high voltage. 

Electrical shock is a credible crew hazard which is 
controlled by this design criterion. Death or 
serious injury could result from high voltane 
shock and would be a direct injury caused by pay- 
load equipment, making the criterion mandatory. 
Protection may be provided by Interlocks, bleeder 
resistor, insulation, closed cases, etc. 

Inspection 

ES-2. All payload module cases 
must be electrically bonded to 
the shuttle structure per shuttle 
grounding requirements to prevent 
electrostatic charge buildup and 
electrical shock hazard. 

This criteria controls two credible crew hazards, 
with no residual hazard. Electrostatic charge 
creates an electrical shock hazard to the crew, 
creates the possibility of discharge and thereby 
provides an ignition source if flammahles are pre- 
sent. The electrical discharge and consequent fire 
hazard is a credible. Indirect hazard which can be 
delayed by preventing safe termination; or, imme- 
diate loss of life or serious injurv. The electri- 
cal shock hazard poses possibility of direct injury 
to the crew, with the possibility of serious injury 
existing. The criterion is mandatory. 

Inspection 

E5«3. Payload modules with self 
contained electrical power systems 
must have these power systems 
electrically isolated from the 
payload module case to prevent an 
electrical shock hazard and pre- 
vent the case from being a 
radiator of internally generated 
EMI. 

This criterion helps to control the credible 
hazards but cannot control the hazards comoletely. 
Criterion ES-2 (above) is required to insure 
control. The shock hazard could cause immediate 
loss of life or a serious injury directly to the 
crew member. A payload case radiating EMi can 
exceed the EMI limit with danger to vehicle and 
equipment (such as pyros) which could have an in- 
direct injury effect on the crew, either 
immediately or delayed. The criterion is manda- 
tory. 

Inspection/Test 

i 
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Table 6-4. Energy Source Isolation (ESI) Criteria 


design criterion 

CATEGORIZING RATIONALE 

VERIFICATION 


MANDATORY 


ESI-l, Batteries must be ther- 
mally isolated from each other 
and have adequate heat dissipation 
provisions to prevent battery 
overheat and explosion. 

Two credible hazards are controlled by this 
criterion. Direct serious injury or death could 
occur if the battery is in a manned volume. In- 
direct, delayed inability to safely deorbit can 
occur if the battery explodes in the payload bay. 
The criterion is mandatory. 

Analysis/Test 

ESI-2, A short or open in In- 
sirumentation circuitry must not 
be capable of adversely affecting 
other systems which in turn ad- 
versely affect the crew or 
vehicle. 

This is a credible hazard, controlled by this 
criterion, which can indirectly cause injury to 
the crew by preventing safe mission termination. 

If not properly designed, a short or open can 
affect the electrical circuitry within a system 
causing loss of the system. Loss of a system 
which can interfere with the orbiter can in turn 
adversely affect the crew (short causes loss of 
power to boom extension mechanism). The criterion 
is mandatory. 

Test 

ESI-3. Electrical wirinq must not 
he in contact with fluid contain- 

This criterion is designed to protect the vehicle 
and crew from credible hazards, and control these 

Inspecti on 

ers. A short from conducting 
wiring to the line or tank can 
cause loss of system integrity 
with resulting release of hazard- 
ous fluids, fires and propulsive 
venting. 

hazards. Any crew injury resulting from the 
hazards stated v)ould be indirect in nature, 

A fire or explosion would damage the vehicle, and 
either prevent a safe termination (delayed) or 
propagate and cause serious Injury or death 
immediately. Any uncontrolled venting would cause 
immediate serious injury. The criterion is 
mandatory. 


ESI -4. Electrical wirinq must not 
be routed near sharp edges. 

Chafing of the wiring can cause 
short circuits, resulting in fire 
and circuit overload hazard. 

This criterion controls a credible hazard. In- 
direct, immediate crew injury can occur if the 
short occurs in the open payload bay and fire 
results. Direct, immediate crew injury can occur 
if the short occurs in the manned volume where fire 
can injure the crew. The criterion is mandatory. 

Inspection 

1 

ESI -5. Adequate provisions must 
be made for maintaining separation 
of coolant and electrical com- 
ponents in pump where the fluid 
loop is critical or the pump is in 
the manned volume. 

In the manned volume, there is a possibility of 
fire when the pump shorts out causing arcing. This 
1s a credible hazard, with the possibility of fire 
in the cabin and direct injury or death a possi- 
bility, This criterion controls the hazard, and is 
therefore mandatory. 

Demonstratinn 

ESI-6. Electrical circuits which 

Two hazards are credible, controlled by this cri- 

Inspection 

can be cut by guillotine cutters 
must be protected against short 
circuits and the resultant cir- 
cuit overload and fire hazards. 

terion, and can cause indirect, immediate crew 
injury or death. A short to the blade can burn the 
blade, causing a non-sever hazard, which presents 
an indirect, delayed hazard to the crew by pre- 
venting safe mission termination (something floo- 
plng around in the payload hay). The short can 
also cause a fire hazard by providing an ignition 
source. The criterion is mandatory in either case. 
Standard design is to deadface the harness before 
firing the guillotine. 


6-10 





222U-H014-RO-00 


Table 6-4. Energy Source Isolation (ESI) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 


MANDATORY 


ESI-7. Electrical eauioment. 
wiring, and connectors must be 
positively protected against 
moisture to preclude short cir- 
cuits, arcing and resultant fire 
hazards . 

This credible hazard is controlled by this cri- 
terion. The possibility of a fire as a result of 
an arc or short circuit could cause an indirect in- 
abilitv to terminate the mission safely (delayed 
effect) or immediate loss of life or serious 
Injury, making the criterion manriatorv. 

Test 

ESI -8. Caoabilitv must be oro- 
vided to switch off all electri- 
cal loads to a payload from the 
orbiter to insure control and 
safing capability should a 
hazardous situation occur. 

A hazard requiring safing is a credible possibility 
and could cause indirect injury to the crew. No 
residual electrical hazard could occur 1f this 
criterion 1s applied. If the criterion were not 
applied, damage could be such that safe mission 
termination would not be possible. It is equally 
possible that the hazard could propagate to the ' 
point where crew injury or loss of life could 
occur. The criterion fs mandatory to prevent 
these occurrences. 

Inspection 

ESI-9. Payload modules utilizina 
shuttle electrical power must 
comply with overload protection 
and grounding requirements of the 
shuttle. This will protect the 
shuttle from overload, heat, and 
fire hazards, and the electrical 
power system from damage. 

These credible hazards are controlled by these re- 
quirements, Occurrence of this hazard could cause 
immediate injury or death to a crew member in- 
directly as a result of shuttle damage due to a 
fire, makinn the criterion mandatory. 

Inspection 

ESI-10. Payload-qenerated EMI 
must be within shuttle require- 
ments, such that the payload does 
not cause damage to critical 
orbiter systems. 

EMI damage to critical systems can cause loss of 
critical orbiter capabilities (retro-nyros , 
communications. G?^N. etc.). FMI damage is a 
credible hazard if outside the specified re- 
quirements, Payload damage to orbiter critical 
functions could cause inability to safely termi- 
nate the mission. This Is a delayed. Indirect 
hazard to the crew, makinn the design criterion 
mandatory. StandaH design techniques Include 
grounding, shielding, and filters. 

Test 

ESI-11. Electrical umbilical d1s- 
connects between the orbiter and 
the payload must be separated from 
hazardous-fluid disconnects, be 
qualified as explosion proof or 
have provisions to remove power 
during disconnect. This Is to 
preclude electrical arc at dis- 
connect, and to preclude hazard- 
ous fluids at all times. 

Immediate loss of life or serious injury could 
occur to a crew member df sconnectinn a live 
connector in the presence of any flammable gas. 
This would be a direct effect to the crewman, and 
Is a credible hazard which is controlled by this 
mandatory criterion. Standard qualified con- 
nectors are available. 

Inspection 
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Table 6-4. Energy Source Isolation (ESI) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

ESl-12. Critical, redundant 
paths, such as system monitoring 
or electrical power circuits must 
not be routed through the same 
connector. Routing redundant 
paths through different con- 
nectors precludes loss of re- 
dundancy from a single point 
failure, (See MSCM 8080, 

No. 20.) 

Loss of redundant paths via a single point failure 
is a credible hazard which is controlled by this 
mandatory criterion. Indirect injury could occur, 
either serious injury or loss of life, or shuttle 
damage which could preclude safe mission termi- 
nation, were this failure to remove all monitoring 
and an undetected hazard occur. The criterion is 
mandatory. 

Inspection 

ESI-13. Electrical valve con- 
figurations must be fail-safe in 
nature and removal or interrup- 
tion of power must not allow re- 
lease of fluids, or undesired or 
uncontrolled venting. 

An improperly open valve presents a credible 
hazard to the crew, which Is controlled by this 
criterion. Dumping or propulsive venting allows 
for indirect, but immediate crew injury (motion). 
Dumping or venting a hazardous fluid could cause 
a fire or explosion, either of which could cause 
immediate crew injury or death by: a) indirect if 
exterior to manned volume; or b) direct If inside 
manned volume. For either situation, the 
criterion is mandatory. 

Insnection 

ESI-14. Safing mechanisms must 
Be provided to prevent inadver- 
tent actuation of equipment whose 
actuation could result in an 
immediate uncontrolled hazardous 
situation. 

Uncontrolled hazards (such as uncontrolled oro- 
pulsive venting, inflating objects within the 
payload bay, etc.) can cause spacecraft motion or 
damage which will Injure the crew. This criterion 
controls the hazard of inadvertent actuation, 
which otherwise presents a credible hazard to the 
crew. There would be no residual hazard. Any 
crew Injury would be indirect in nature, although 
it could be immediate (uncontrolled venting), or 
delayed because of structural damage precluding 
safe mission termination. The criterion is there- 
fore mandatory. 

Inspection 

ESI-15. Where possible crew 
injury may result, automatic 
devices must be provided to shut 
down or prevent operation of pay- 
load equipment under unsafe con- 
ditions. 

Allowing the experiment equipment to operate under 
unsafe conditions allows a crew hazard to exist. 

If the equipment is inside the manned volume, 
direct crew injury can occur. Credible hazards 
which will be controlled by this criterion can 
occur during equ lament operation which could 
affect the crew causing direct injury or loss of 
life. The criterion is therefore mandatory. 

Demonstration 

DISCRETIONARY 

ESI-16. To preclude loss of bus 
voltage with loss of one or more 
batteries, all payload batteries 
must be capable of isolation 
from the bus. 

Battery isolation within a payload is In the In- 
terest of R/QA. Failure of a battery may shut 
down a payload, but will not interact with the 
vehicle, as payload-supplied circuits are isolated 
from orbiter-suppl led circuits. No credible 
hazard can occur, thus the criterion is discre- 
tionary. Standard design includes diode and re- 
lays. 
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Table 6-4. Energy Source Isolation (ESI) Criteria (Concluded) 


DESIGN CRITERION 


CATEGORIZING RATIONALE 


VERIFICATION 


DISCRETIONARY 


ESI-U. Payloads utilizing 
batteries must Insure that bat- 
tery cell terminal connection 
areas are isolated from any cell 
or battery venting to preclude 
corrosion of battery terminal 
connections* with possible loss 
of the battery output capability* 


Corrosion of the connectinn member could cause loss 
of battery and loss of payload operability. Since 
fail safe and isolation from orbiter already is 
required* there is no manned safety impact. The 
criterion is discretionary as credible crew safety 
hazard is not involved. 


ESI-18* Automatically operated 
devices (heaters) in system com- 
ponents (tanks, batteries, etc.) 
must be designed so as to fail in 
the off mode. Devices which fail 
on are a hazard as no control can 
be exercised. 


Devices which can fail on will cause an overheat 
and consequently a hazardous condition. Prime 
result would be loss of the system (fluids vented, 
battery degraded). The excess current drain on 
the orbiter could be precluded by turning the 
system down. Over- pres sure vents which are re- 
quired will prevent vehicle damage/crew in.^ury. 
This criterion then does not protect a crew 
member from a credible hazard but is R/f)A oriented 
for the payload system. The criterion is there- 
fore discretionary. 


ESI-19. To preclude undetected 
high resistance or open circuits, 
swagged eyelets must not be used 
to form a solderless connection 
between conductors. 


Swagged eyelets may result in high resistance or 
open circuits, resulting in low power or loss of 
power to the payload. Loss of power to a fall- 
safe condition In the payload does not present a 
credible hazard to the crew. This criterion is 
discretionary , dealing with the payload's ability 
to operate. 


ESI -20. To preclude inability to 
cycTe“equipment and return to 
normal operation, non-replaceable 
fuses and inaccessible circuit 
breakers must not be used. 


The inability of the crew to cycle a payload 
circuit breaker or replace a fuse and re-start the 
experiment may cause loss of the experiment. It 
does not constitute a credible hazard to the crew, 
and therefore is discretionary. 


ESI-21 . Fluid lines must be de- 
signed and/or insulated so as to 
prohibit freezing or boiling of 
the fluid under static and normal 
flow conditions or, should freez- 
ing or boiling occur, to prevent 
permanent system damage. 


Lines and containers are sized such that 
there is adequate safety factor to preclude a loss 
of system integrity. The worst case occurrence, 
then, is loss of the payload or subsystem. Since 
the payload can be shut down (and fail safe) loss 
of the system involves loss of the payload, but no 
credible hazard can occur, leaving the criterion 
discretionary. 
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DESIGN CRITERION 


CATEGORIZING RATIONALE 


VERIFICATION 


E/I-U To preclude skin burn 
or reflex injury, IVA crew members 
must not be exposed to payload 
temperature extremes Hess than 
TBD, greater than TBD), 


MANDATORY 


This criterion controls a credible crew hazard. 

Any injury would be of a direct nature. The injury 
could be serious enough to terminate the mission. 
Extreme temperatures can burn the skin causing 
injury. Extreme temperatures can also cause reflex 
pull away with arm/elbow injury, damage to 
equipment to rear of crewmember, inadvertent switch 
actuation, etc. The criterion is mandatory. 


Inspection/ 

Demonstration 


E/I-2 . Critical payload controls 
requiring detachable actuating 
tools must readily show the con- 
trol position without the tool in 
place. Detachable tools must not 
be used if tool non-availability 
could compromise crew safety. 

(See MSCM 8080, Nos. 56 and 65.) 


Tool non-avai lability presents a credible hazard 
which is controlled by this criterion. No residual 
hazard of this type would occur. Tool nonavail- 
ability would cause inability to operate control 
under urgent conditions. Indicator non-availability 
causes crew members to not know conditions of equip- 
ment, both in normal and emergency conditions. 

These conditions would allow malfunction before 
correction could be made with resultant crew injury. 
Inside the manned volume, serious crev/ injury could 
result directly. Outside the manned volume, in- 
direct and delayed inability to terminate could 
occur, also immediate crew injury or loss of life 
could occur. The criterion is mandatory. 


Inspection 


E/I-3 . Distinctive identification 
must be made when otherwise 
identical switches are located on 
the same panel and the result of 
out-of -sequence operating could 
be serious. 


Accidental activation of a critical switch can 
allow hazardous operations to occur (e.g., out-of- 
sequence), which are precluded by this criterion. 
Accidental switch activation which can occur on 
critical systems poses a definite hazard to the 
crew. Any injury would be indirect in nature 
(for the equipment outside the manned volume) and 
could be either Immediate injury or delayed in- 
ability to safely deorbit. If the equipment Is 
inside the manned volume, injury can be direct and 
immediate. Out of sequence operation can also be 
designed out by use of logic circuits or interlocks, 
The criterion is mandatory. 


Analysis/ 

Inspection 


I’l 


E/I-4 , Critical switch/control 
conTTgurations must not be sus- 
ceptible to inadvertent actuation. 
Any coverguard must be designed 
so that critical switch/ control 
positions can be determined with- 
out moving the coverguard to pre- 
vent delayed action. (See MSCM 
8080, No. 59.) 


Accidental activation of a critical switch can 
allow hazardous operations to occur (e.g., out-of- 
sequence), which are precluded by this criterion. 
Accidental switch activation which can occur on 
critical systems poses a definite hazard to the 
crew. A residual hazard (E/I-3) has been identi- 
fied. Any injury would be indirect in nature (for 
the equipment outside the manned volume) and could 
be either imnediate injury or delayed inability to 
safely deorbit. If the equipment is inside the 
manned volume, injury can be direct and immediate. 
The criterion is mandatory. Standard switch guards 
can help preclude inadvertent activation. 


Inspection 
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Table 6-5. EVA/IVA (E/I) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

E/I-5. Caution and warning 
systems must provide timely warn- 
ing of equipment safety parameters 
and status of critical control 
functions (such as airlock pres- 
sures, door positions, overboard 
vents and payload erection/retrac- 
tion mechanisms) to allow timely 
corrective actions, and avoid 
accidents caused by lack of know- 
ing systems configuration. 

Safety critical parameters (manned atmosphere), 
which may go out of tolerance, require timely 
caution and warning to allow corrective actions to 
be taken in time to insure crew safety. This 
credible hazard is controlled by this criterion. 

The type injury/damage is a function of the out of 
tolerance subsystem. An ECLS malfunction can cause 
direct, immediate crew injury or death. Retraction/ 
erection mechanisms can cause Indirect, delayed 
inability to safely terminate the mission. The 
criterion is mandatory. 

Inspection/ 
Demons tr at ion 

E/I-6. Crew members must not be 
exposed to sharp points or edges 
(less than TBD radius of curva- 
ture) that could puncture or tear 
the pressure suit during EVA. 

Torn suit leaves a distinct possibility of loss of 
crew member. This credible hazard is controlled 
by this criterion. Any injury to the crew member 
would be direct in nature, and serious injury or 
loss of life can occur with loss of pressure suit 
Integrity. The criterion Is mandatory. Standard 
design such as rounded corners can eliminate this 
problem. 

Inspection 

E/I-7. Handles or grips must be 
provided for physical transport 
of payload components requiring 
transport to preclude loss of 
control during transport. Such 
components must be capable of 
withstanding impact of TBD feet 
per second with a sharp object 
(TBD radius of curvature) without 
releasing the contents. 

This criterion is to insure the crew is not in- 
jured by loss of control of an object, or by 
release of Its contents, both of which are credible 
hazards. This criterion is sufficient to control 
this hazard, which, if it occurred, could cause 
direct serious injury to the crew member by trap- 
ping, crushing, or by the release of contents. The 
criterion is therefore mandatory. 

Inspection/ 

Demonstration 

E/I-8. Manned payload modules 
must provide means for detecting 
and purging or dumping a toxic, 
flammable or oxygen-enriched 
environment (IVA) when such sub- 
stances are part of the payload. 

Allowing undetected environments which allow a 
hazard to the crew directly endangers the occu- 
pants of the manned module and if undetected can 
also propagate to the flight check. This credible 
hazard is controlled by this criterion. Any of 
these atmospheres caused and undetected by the 
payload allows the possibility of direct serious 
injury or death by the atmospheres and resultant 
chance of fire. The criterion is therefore 
mandatory. 

Inspection/Test 

E/I-9. Manually operated shut- 

Any line rupture interior to the manned volume 

Demonstration 

off valves in manned payload 
modules must be located so that 
downstream line rupture will not 
prevent access to the valves and 
control of the undesired venting. 

allows an undesirable pressure situation in 
addition to attendant hazards directly attributable 
to the gas or fluid. Any line rupture external to 
the manned volume causes strong propulsive vents 
with attendant motion injury. Either situation is 
a credible hazard which is controlled by this cri- 
terion, Inside the manned volume, direct and 
immediate injury or death could occur. Exterior to 
the manned volume, erratic motions could cause in- 
direct immediate Injury or damage which later 
prevents safe deorbit. The criterion is therefore 
mandatory. 
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Table 6-5. EVA/IVA (E/I) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 


MANDATORY 

E/I-10. To preclude erroneous or 
hazardous crew action^ the primary 
failure mode of all critical 
meters or measurement systems must 
be such as to give an immediate 
indication that a failure has 
occurred. 

This criterion requires that the crew be informed 
to ignore an erroneous out-of-bounds Indication 
(unwarranted action not injurious to crew). The 
crew must be warned it has lost monitoring capa- 
bility and may not know of an out-of-bounds, which 
does allow a hazard to the crew. Acting on bad 
Information presented by instruments can lead to a 
hazardous situation for the crew. This credible 
hazard, which can be controlled by this criterion, 
can, if not controlled, lead to either direct or 
indirect crew injury. Direct injury If the equip- 
ment is within the manned volume or crew member is 
EVA. Indirect injury If equipment is in payload 
bay. The criterion is mandatory. 

Analysis/ 

Inspection 

E/1-11, All payload fluid/gas 
disconnects must be uniquely 
keyed, and individually marked to 
identify the nature of the subn 
stance involved; must be positive 
locking; and must be designed to 
prevent venting/ leakage during or 
after disconnect. Inadvertent 
mixing or venting of incompatible 
fluids or gases must be precluded* 

Connecting to the wrong lin^ can introduce the 
wrong gas/vent and cause reaction damage and over- 
pressure damage which (in a manned volume) can 
propagate to the crew. Leakage after/during dis- 
connect can introduce overpressure in the manned 
volume and hazardous gas introduction into the 
manned volume. These hazards are credible hazards 
which will be controlled by this criterion. Any 
crew injury would be direct in nature. Serious 
crew injury or death to personnel can occur as a 
result of the hazards listed above. The criterion 
is maTidatory, 

Similarity/ 

Demonstration 

I 

E/I-12. All transportable pay- 
load items (such as tools, 
cameras, film magazines) for EVA 
usage must always be restrainable 
to either the vehicle, worksite 
or the crewman. Loose items can 
drift into positions where they 
cannot be retrieved, but can do 
later damage due to high Inertia 
on entry* Loss of a tool neces- 
sary to perform a critical func- 
tion renders a hazard. 

Loss of a tool necessary to insure the safety of 
the crew with respect to a payload is a real 
possibility, can result on an EVA if this criterion 
is not applied. Impact from a flying object is 
also possible if the tool floated into an inaccessi- 
ble position. In either case, crew injury may 
result indirectly, in a delayed manner and there- 
fore this criterion is mandatory. 

Inspection/ 

Demonstration 

E/I-13. All payload EVA/IVA 
worksites must be lighted to 
those required levels (TBD 
luminous) necessary to assure 
non-hazardous operation. 

Lack of adequate light at an equipment worksite may 
cause operator error and equipment damage. The 
equipment damage can be of a type to propagate and 
injure the crew. There are situations where in- 
correct operation could lead to crew injury (opera- 
ting a release mechanism, incorrect switching, etc.) 
The hazard is credible, and lighting is a contri- 
butor, that, in conjunction with criteria E/I-11 
and E/I-3, will prevent injury of both an indirect 
delayed nature to the crew, and direct, immediate 
injury to a crew member. The criterion is there- 
fore mandatory. 

Oemonstrati on 
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Table 6-5. EVA/IVA (E/I) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 


E/I-14, Equipment mounted in the 
payload bay which requires EVA 
must be positioned to insure that 
a fully suited EVA crew member 
cannot become wedged. 

A crew member attempting to unwedge himself could 
tear his suit. He could also complicate the 
wedging. If it is a single man EVA (Shuttle 
groundrule), serious injury or death could occur 
before rescue could be effected. This criterion 
controls a credible hazard which* if not controlled 
could lead to direct injury or death to the crew 
member. The criterion is therefore mandatory. 

Demonstration 

E/I-15. Internal and external 
areas of passageways between a 
manned payload module and the 
orbiter must be free from items 
whose malfunction could damage 
or otherwise prevent passageway 
use by the crew members. 

The present docking mechanism and passageway to 
the manned volume is not redundant. Any loss or 
damage to this passage affects the crew in the 
manned payload. This criterion will control the 
possible occurrence of a credible hazard. Crew 
injury could occur indirectly by the malfunctioned 
item failing the tunnel and trapping the manned 
payload personnel. Serious injury or death could 
occur immediately. The criterion is therefore 
mandatory. 

Inspection 

E/I-16. All crew compartment 
ventilating fans must be protect- 
ed by devices to prevent entrance 
of fan damaging debris during 
zero-gravity conditions, (See 
MSCM 8080, No. 73.) 

Items floating in zero-a could enter and block or 
damage needed circulation fans, causing a 
malfunction hazard to the crew. This criteria 
addresses a credible hazard which can occur in a 
manned payload. This criterion will prevent this 
malfunction hazard which would otherwise cause 
direct injury to the crew within the manned pay- 
load • This direct injury can be serious, and if 
undetected, could cause death via air stoppage/ 
stagnation. The criterion is therefore mandatory. 
Normal standard design includes filters, screens, 
and fan location within the system. 

Inspection 

E/I-17, Shatterable materials 
must not be used within a manned 
volume unless positive 
protection is provided to pre- 
vent fragments from entering the 
cdbin/module environment. Photo- 
graphic equipment that cannot 
comply with this requirement 
must be protected by suitable 
covers when not in use. Cathode 
ray tubes, if used, must have 
safety shields, (See MSCM 8080, 
No. 41.) 

Shatterable materials will leave splinters and 
sharp edges floating In the manned volume which 
can cut and puncture. This is a credible hazard 
1 which can occur within a manned volume. The 
hazard involved will be controlled by this cri- 
terion. Were a shatter to occur within the manned 
volume, any crew injury would be directly caused 
by the fragments. Serious injury could accumulate 
because of the many fragments within the confined 
crew area. The criterion is therefore mandatory. 

Inspection 

E/I-18. Emergency life support 
must be provided for all person- 
nel in a manned payload module 
sufficient to allow escape or 
time to control a fire or toxic 
spill . 

This criterion Is to protect the crew from loss of 
the manned payload environment control /life 
support system (by shutoff, fire, toxic contami- 
nant) which 1s a credible hazard. No residual 
hazard exists If this criterion is applied. If 
this criterion is not applied, loss of the 
environment control/! ife support system of a 
manned payload can cause indirect, immediate crew 
serious injury or death. The criterion is 
mandatory. 

InsoectioTi/ 

Demonstration 
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DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 


MANDATORY 


Eyi-19. Payloads with a trans- 
mission medium (such as air or 
structure) must not generate 
sound pressure levels in excess 
of TBD dB, or crew injury will 
result. 

Excessive sound pressure levels (such as the high 
discomfort region) cause discomfort and distrac- 
tion to the crew, increasing the possibility of 
crew error and a resulting hazard. Beyond the 
discomfort level is the pain level, and beyond 
that, physical injury to ear or brain. This 
credible hazard will be controlled by this cri- 
terion. Excessive sound pressure levels for some 
duration will be a direct source of injury to the 
crew. The criterion is mandatory* 

Demonstration 

E/I-20. Payload equipment utiliz- 
ing mechanical motion which can 
trap, cut or otherwise injure the 
crewmember must prevent crew con- 
tact with the moving parts* 

Equipment such as high speed tape recorders, gears, 
etc., pose a hazard to the crew. This credible 
hazard will be controlled by this criterion, ore- 
venting direct injury to the crew which would occur 
with contact. Standard design practice includes 
shielding, covers or Interlocks to prevent contact 
or stop motion if resistance is incurred. The 
criterion is mandatory. 

Demonstration 


E/I-21 . All payload worksites 
must have provisions for crewman 
restraints . 


E/I“22. Painting or coating 
materials subject to flaking 
must not be used in payload equip- 
ment that is expected to be ex- 
posed to extensive abrasion or 
contact by crewman (in the manned 
volume)* (See MSCM 8080, No. 43.) 


DISCRETIONARY 


Attempting to perform a job without proper re- 
straint is not possible (pushino in pushes the 
crew-member away). There is a shuttle ground rule 
saying crew-member must be tethered. This cri- 
terion applies to a sortie payload and a credible 
hazard exists (hardware), but the hazard does not 
present a credible hazard to the crew member. 

This is a crew/payload compatibility problem. 

The criterion is discretionary* 

Paint chips and flakes loose in the manned volume 
can interfere with operations* There is not sig- 
nificant possibility of crew-member injury, such as 
by flakes being inhaled, etc. Manned spaceflight 
experience has shown that the possibility of crew 
injury is not credible. The criterion is 
discretionary. 
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Table 6-6. Materials Compatibility (MC) Criteria 


DESIGN CRITERION 

categorizing rationale 

VERIFICATION 


MANDATORY 


MC-1. To preclude metal failure 
on critical systems (mountings, 
high pressure, hazardous fluids, 
etc«), metals of differing 
potentials must not be combi ned^ 
(See MSCM 8080, No. 63.) 

Galvanic corrosion developinq at critical points 
causes weakened metal and eventual failure. One 
must consider more than the 30-day mission time on 
critical systems since corrosion starts at assem- 
bly, not at flight time. This criterion controls a 
credible hazard, and does not leave a residua! 
hazard; a) if in the manned volume, such “Pailure 
could cause direct injury or death, such as from 
flying objects or b) if outside the manned volume, 
the failure could cause delayed Inability to 
safely deorbit due to damage caused hy the failure 
The criterion is mandatory. Standard design re- 
quires appropriate selection, platino, or separa- 
ting (such as spaces) . 

Insoectfon 

MC-2. IncomDatible materials 
must not be allowed to combine 
where the result of the combining 
can cause a hazard to the crew, 
(Included here are such combina- 
tions as flammables with liquid 
or high pressure oxygen, and 
mutually reactive materials in- 
cluding hypergolics) . 

This hazard is a credible hazard, controllable by 
this criterion with no residual hazard. Inside a 
manned volume, such a combination can cause 
direct and immediate serious injury or death to 
the crew. Exterior to the manned volume, a fire 
is an indirect, but immediate injury to the crew, 
possibility of death is very strong. The 
criterion is mandatory. 

Insoectinn/Test 

MC-3. Materials which can react 
wiTh electronic equipment to 
oxide or form an insulating 
barrier between contacts (such as 
sulphur) must not be used in 
proximity to critical electrical 
equipment. 

Some materials (such as sulphur) can outqas and 
combine with the copper or other conductor to form 
an insulation coating, vnth consequent loss of 
electrical circuits as well as payload circuits. 
Loss of a critical electrical circuit could become 
a real possibility, and Is a credible hazard with 
no residual if this criterion is aonlied. The 
damage to the crew is indirect and delayed. Safe 
tenn1 nation could be prevented, or, may be neces- 
sary to prevent some dov/n -stream-in- time danger to 
the crew* The criterion is mandatory. 

Inspection 

MC-4. To prevent loss of systems 
integrity on structural mountings, 
connectors and sleeves on fluid 
lines and structures must be of a 
material resistant to stress 
corrosion cracks when 1) torqued 
to required levels and 2) exposed 
to expected environmentr (See 
MSCM 8080, Nos. 14 and 113.) 

Stress corrosion and metal fatigue failure can 
cause loss of structure on the pressure system. 
The hazard which can occur Is a credible hazard 
! with no residual hazard If this criterion is 
applied: a) If the pressure system were ECLS or 

in the manned volume, direct and immediate crew 
injury could occur; b) if the pressure system or 
structure is outside the manned volume, indirect 
and delayed injury to the crew is possible, with 
safe mission termination not possible. In either 
case, the criterion Is mandatory. 

Similarity/ 
Inspect! on/Test 
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Table 6-7. Ionizing Radiation (IR) Criteria* 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 


IR-1, Fraqmentation, blast over 
pressure and fireball protection 
adequate to assure containment of 
all radioactive material must be 
provided by the isotope-source 
payload supplier to preclude re- 
lease of radioactive material 
should a shuttle accident occur. 

Any radioactive leak endangers the crew with over- 
dose and also contaminates the vehicle. This 
criterion is to protect the crew against a credible 
hazard. This criterion would allow direct injury, 
most likely, premature death resulting from over- 
dose. The criterion is mandatory. 

Test 

IR-2. Nuclear device payload 
suppliers must assure that criti- 
cal nuclear subsystems are main- 
tained at proper temperatures to 
remain stable. 

Some payloads may have sodium-potassium loops 
which may freeze and rupture at cold temneratures* . 
Some Brayton-type syst&ns require constant cooling. 
In either case, the criterion Is to eliminate a 
credible hazard to the crew. No residual hazard 
exists if this criteria is applied. Since over 
temperatures may result in release of radioactive 
material resulting in direct injury or premature 
death to the crew, this criterion is mandatory. 

Inspection 

IR-3. Reactor payloads must pre- 
cVude any leak of sodium- 
potassium coolant. Exposure of 
the sodium to oxyqen will result 
in a liquid metal fire. 

This criterion is designed to eliminate a credible 
hazard. No residual hazard will exist. A liquid 
metal fire could propagate to the crew and there- 
fore cause indirect, immediate crew injury. The 
criterion is therefore mandatory. Standard design 
includes double containment and inert gas blankets 
while in the atmosphere. 

Pressure Test 

IR-4. The design of payload re- 
actor coolant loops that use 
sodium-potassium as a primary 
coolant must not require break- 
ing or opening during orbital 
operations. The sodium-potassium 
may be at very high temperatures 
and the EVA suit is incompatible 
with the liquid metal. 

This criterion is designed to prevent the occur- 
rence of a credible hazard to the crew. No 
residual hazard is allowed, and serious crew injury 
or death could occur directly from exposure to 
sodium-potassium if the criterion Is not applied; 
therefore, the criterion is mandatorv. 

Inspection 

1 

1 

i 

IR-5. A liquid metal fire 
suppression system must be pro- 
vided by the nuclear reactor pay- 
load for use at any time the 
orbiter is in an oxygen environ- 
ment. 

Liquid metal fires cannot be extinguished by normal 
methods. The damage of liquid metal release 1s 
real during aborts, pad emergencies or hard land- 
ings, and special fire supplements are the only 
method of controlling such a situation, A real 
credible hazaH to the crew exists, which is con- 
trolled by this criterion. Indirect but immediate 
serious injury or death to the crew can occur via 
an unsuppressed fire 1f this criterion is not 
applied. The criterion is mandatory. 

, Inspectinn/Test 

IR-6. A nuclear payload must be 
maintained so as not to exceed 
the allowable crew dose rate* 



Within payload bay and c.g. envelope constraints, 
the greater the disUnce, the less the dose rate 
that can be tolerated. This criterion 1s to 
reduce a credible (existing) hazard to the crew. 
Any injury received as a result of violating this 
criteria will lead to overdose and possible pre- 
mature death. The criterion is mandatory. Stan- 
dard practice is to maintain maximum possible 
distance and shielding sufficient to reduce the 
dose levels to acceptable limits. 

Inspection/ 

Demonstration 


*Includes nuclear devices 
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Table 6-7. Ionizing Radiation (IR) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

lR-7, Manned payload modules 
must be desiqned for rapid per- 
sonnel evacuation and seal -off, 
1f contaminated, until return to 
earth or decontamination can be 
affected, to minimize over- 
exposure to the crew» 

This criterion is applied against a sortie nayload/ 
sortie payload subsystem. It is designed to con- 
trol a credible hazard to the crew. This criterion 
does not completely control the hazard (see also 
IR“10 and IR-13). The consequence of not applying 
this criterion can be a direct serious injury or 
premature death from over-exposure; therefore, 
the criterion Is mandatory. 

Insnectinn/ 
Demons trat ion 

IR-8. Vidicon design must 
eliminate radiation hazards to 
the crew and/or to surrounding 
equipments. 

The amount of radiation a crew member can with- 
stand is limited. An X-ray emittinq vidicon 
could contribute significantly to this total. 

Since radiation reaching the crew is accumulatino, 
a vidicon, which can be part of a sortie payload, 
poses a credible hazard to the crew. This 
criterion above controls this source of radiation* 
not all radiation. Injury to the crew would be 
direct In nature, and can cause permanent injury 
or premature death, making the criterion mandatory. 
Methods of X-ray control include shielding and 
lower voltage operation. 

Test 

IR-9. Redundant status monltor- 
lng'"and control equipment must be 
provided for nuclear payloads. 
Indication of instrument mal- 
function shall be included. 

While the nuclear payload itself is not a hazard, 
it can easily become one. A malfunction instru- 
ment is a sinqle point failure of a type which 
prevents the crew from knowing the condition of a 
controllable payload. This criterion is designed 
to control a credible crew hazard. Injury re- 
sulting from this hazard could be: 11 direct in 
nature (overdose) resulting 1n serious injury or 
premature death, or 2) Indirect in nature (over 
temperature, sodium-potassium leak) resulting in 
fire and immediate injury or death. The 
criterion is mandatory. 

Demonstration 

IR-10. Payload suppliers must 
provide equipment for locating 
radioactive material which has 
been inadvertently released in a 
manned module. 

Locating the released material Is a prerequisite 
for any decontamination procedure, and must be 
accomplished if the crew is to/must occupy the 
area. This criterion 1s designed to allow control 
of a hazard (remedial measure). The hazard this 
would control is credible, and could cause direct 
crew injury or premature death if not controlled. 
Criteria IR-13 also is important in complete con- 
trol of the hazard. This criterion is mandatory. 

Inspection/ 

Demonstration 

IR-11. Direct visual or TV 
coverage must be provided for 
nuclear isotope component trans- 
fers so as to allow the creYmian 
to insure that the radioactive 
material is properly located and 
shielded. 

This criterion is to eliminate a hazard which is 
credible, and if this criterion is applied, no 
residual hazard will exist. Any injury Incurred 
as a result of not applying this criterion would 
likely be direct, with radiation causing ore- 
mature death or serious injury. Indirect, delayed 
injury could occur if a component were simply not 
properly secured and shifted during reentry. 

The criterion is mandatory. 

Demonstration 

1 

1 

i 

i 
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Table 6-7. Ionizing Radiation (IR) Criteria (Concluded) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

IR-12. Tracking and recovery 
cf^vices must be included on 
nuclear payloads if, for any 
reason, the payload is Jettison- 
able. Recovery of the device is 
to prevent dispersal of radio- 
activity and hazard to the 
populus. 

This criterion does not directly endanger the crew. 
It prevents danger to the populus because of a 
crew action or shuttle failure. The criterion is 
mandatory. Tracking and recovery devices might 
include dye markers, beepers, and flotation gear. 

Demonstration 

IR-13. Pressurized, manned pay- 
load modules, in which hazardous, 
radioactive materials are being 
used, must be equipped with an 
airlock and with radiological de- 
contamination equipment as well 
as waste storage and/or disposal 
provisions . 

Inability to decontaminate allows the spilled 
radiation to cause a continuing added source with 
attendant overdose to the crew. This criterion is 
to control a hazard (remedial action) which is 
credible. This criterion with IR-10 completely 
controls the hazard. Any injury to the crew would 
be direct (overexposure) and could be either 
serious injury or premature death. The criterion 
is mandatory. 

Inspection/Test 

DISCRETIONARY 

IR-14. Nuclear reactors must not 
be activated while in the 
immediate proximity of the 
orbiter . 

Activation of an RTG within the cargo hay does not 
in itself pose a hazard to the crew. The criteria 
applies to a sortie payload, but does not protect 
the crew from a credible hazard. The criterion is 
therefore discretionary. 


IR-15. A reactor disposal system 
capability must be provided with 
all nuclear payloads to boost (to 
high-earth orbit) any damaged 
reactor power module. 

Sufficient criterion have been constructed to in- 
sure minimum damage probability. If damage does 
occur, simple jettison would suffice to protect 
the crew and vehicle. Boosting to high-earth 
orbit is discretionary. 


IR-16, Payload reactor/shield 
assemblies must be designed to be 
separable if reactor disposal in 
high-earth orbit is to be used. 

Disposal of the shield with the reactor is just as 
acceptable to the crew. No hazard Is avoided by 
applying the criterion. It is a cost/benefit to 
reuse the shield. The criterion Is discretion- 
ary. 


IR-17. Payloads which can be 
jettisoned must be ejectable 
through the payload bay doors. 

Consideration must be given to such modes for 
contingency operation. However, this criterion 
does not remove a crew hazard, per se. The hazard 
should have been controlled by other criterion in 
this section. The criterion can cause another crew 
hazard, except on the pad. nn the pad, the isotope 
device must be capable of withstanding an accident. 
This criterion is discretionary. 
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Table 6-8. Contamination/Toxicity (C/T) Criteria 


DESIGN CRITERION CATEGORIZING RATIONALE VERIFICATION 

MANDATORY ' 

C/T-1 , To preclude inadvertent Accidental spill of a fluid exposes the crew to the Demonstration 

spTTTs* of hazardous fluids » pay- particular hazard associated with that fluid 

load equipment intended for use (fire, poison, acid burn, etc.)- This criterion is 

as holders, receivers, or trans- designed to protect the crew from a credible 

fer devices must have no-spill, hazard. No residual hazard exists if this 

positive-sealing characteristics . criterion is applied. Direct, immediate, serious 

Injury or death can occur from release of a 
hazardous fluid if this criterion Is not applied. 

Therefore, this criterion is mandatory. 


C/T- 2. To minimize the effect of Since many hazardous fluids can exist, and which Demons trati on/ 

hazardous spills, systems must be ones are used is a function of the payload, payload Test 

provided for detection and equipment must sense and warn the crew of spilled, 

collection of spilled hazardous hazardous fluids. This criterion aoplies to sub- 
fluids or materials. systems of a sortie payload and is designed to 

protect the crew from a credible hazard. A resid- 
ual hazard exists, but can be avoided by evacu- 
ation of the compartment (see C/T-5), Injury 
resulting from undetected hazardous fluids would 
be direct in nature, and can cause serious Injury 
or death, as a function of the fluid. The 
criterion is mandatory. 


C/T-3. Materials must not be This criterion applies to the materials selection Similar! ty/Test| 

used in habital areas of a manned of a sortie payload and is designed to eliminate (For new | 

spacecraft which will generate a credible hazard to the crew in the manned materials) 

toxic or noxious fumes or dust in volume. Direct crew serious injury or death can 

such concentration as to impair occur from excessive levels of noxious or toxic 

crew safety. (See MSCM 8080, gasses within the manned atmosphere. The 

Nos. 18, 33, 51 and 125.) criterion Is mandatory. Examples include: 

a) un-all oyed Beryl 11 urn, b) carbon black, 
c) cadmium, d) polyvinyl chloride, and e) teflon 
wiring insulation with organic pigments. The 
criterion is mandatory. 

C/T-4. Toxic, flammable, corro- This criterion is designed to protect the crew Inspection/ 

sive, or otherwise harmful fluid against a single point failure (rupture/leak of Demonstration 

(or gas) containers must be a container) which is a credible hazard. No 

located in unpressurized volumes residual hazards exist if this criterion is applied 

of pressurized payloads or be Direct, immediate serious crew injury or death 

double-contained such that a could occur should such a failure occur, releasing 

simple failure of the container the hazardous qas within the manned volume. The 

will not expose the crew to the criterion is mandatory. 

fluid gases. 


C/T-5. If a payload operation This criterion is designed to isolate a credible Inspection/ 

poses risks of an explosion, fire, crew hazard. If the shuttle cabin becomes con- Demonstration 

collision, open flame, etc.. It tamlnated, safe mission termination may not be 

must not be installed in the possible. This causes indirect, delayed crew 

shuttle cabin which is needed for injury which makes the criterion mandatory. 

safe shuttle return. 







222U-H014-R0-00 


Table 6-8. Contamination/Toxicity (C/T) Criteria (Concluded) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

C/T-6, Outqassina of Davload 
equipment materials in vacuum 
must be at a sufficiently low 
level so as not to deposit on and 
obscure or damage sensitive sur- 
faces necessary for shuttle opera- 
tion, Non-availability of 
critical systems or surfaces 
(such as optics, or damaged 
thermal layers) may jeopardize 
shuttle operation, and therefore 
cause mission termination. 

This criterion applies to sortie payload equipment 
exterior to the manned volume, and is designed to 
prevent a credible hazard. No residual hazard 
exists If this criterion is applied. Failure to 
apply the criteria may Indirectly affect the crew 
by causing the inability of the vehicle to operate 
properly, possibly causing inability to terminate 
the mission. The criterion is therefore mandatory. 

Simi lari ty/Test 

C/T-7. Critical close-tolerance 
systems must be adequately pro- 
tected from particulate contami- 
nation to prevent loss of the 
fluid system with consequent 
hardware failure which could 
propagate to crew hazards. 

This criterion is to protect the crew against loss 
of a critical system from particulate matter. 

This credible hazard is controlled by this 
criterion. Injury from loss of a system can be 
direct (such as the environment control system) or 
indirect. Indirect injury can he either delayed 
or immediate, and serious injury or loss of life 
could occur by any of the three avenues, making the 
criterion mandatory. Normal design procedure in- 
cludes filters and provisions for flushing the 
sys tern . 

Inspection 

C/T-8. Packing of pathogenic 
containers must be capable of 
withstanding off-nominal landings 
to protect the crew and ground 
personnel from exposure. 

This criterion protects personnel from a credible 
exposure hazard. No residual hazard exists if 
this criterion is applied. Direct, serious injury 
or death from the disease could occur if the con- 
tainer were to burst and expose personnel, making 
the criterion mandatory. 

Analysis/Test 

C/T-9, Payloads containing 
pathogenic, microbiologicai or 
biological experiments must be 
compartmented to isolate such 
organisms from human contact dur- 
ing ground and flight operations 
in order to protect the health 
and safety of the crews. 

This criterion will preclude a credible crew 
hazard from occurring, that of exposure to harmful 
microbes. No residual hazard exists if this 
criterion is applied. Failure to anply this 
criterion would allow exposure of the crew to 
hazardous microbes, with the possibility of direct, 
immediate, serious Injury or death resulting. 

Thus, the criterion is mandatory - 

i 

Demonstration/ 

Test 

i 

i 
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Table 6-9. Fire (F) Criteria 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

F-1 > Flammable or explosive 
material within TBD feet of the 
sinqle entrance to a compartment 
must not, if accidentally re- 
leased, preclude shirt sleeve 
access through the entrance, thus 
trapping the occupants. 

This criterion protects the crew from a credible 
hazard associated with eneroy release. No residual 
hazard exists if this criterion is apDlieri. If 
this criterion were not applied, direct injury by 
the material release could occur to occupants of a 
compartment, causing serious injury or death to a 
crew member. This makes the criterion mandatory. 

Analysis 

F-2. Payload materials used 
within the manned volume must be 
designed to the same flammability 
constraints as the orbiter» 

Where the nature of an experiment 
involves a combustible process, 
it must be isolated by payload 
equipment. Fire prevention with- 
in the cabin, at least to the 
level of orbiter design. Is re- 
quired to protect the crew. (See 
MSCM 8080, No. 22.) 

This criterion is to protect the crew from an un- 
acceptable level of fire hazard. The hazard Is 
credible, and no residual hazard exists if this 
criterion is applied. The occurrence of fire 
within the manned volume creates the possibility 
of direct, serious injury or death to the crew. 
Thus, the criterion is mandatory. 

Inspectinn/Test 

F-3. Equipment contalninq hot 
SLirTaces (in excess of TBD °F) 
must be isolated so as not to be 
a source of ignition for flam- 
mable materials within the 
manned volume. 

This criterion is to protect the vehicle/crew from 
fire on the shuttle, a credible hazard. No resi- 
dual hazard exists from this ionition source if 
this criterion is applied. If an Ignition were to 
occur within the manned volume, direct, serious 
injury or death could occur from the sustained 
fire. If an ignition were to occur exterior to 
the manned volume, indirect, serious injury or 
death can occur either immediately, due to propa- 
gation of the fire, or delayed because of in- 
ability to enter as a result of vehicle damage. 

The criterion is mandatory. 

Analysis/ 

Demonstration 

F-4. Potential ignition sources 
uTThe payload (such as switches 
and relays) must be contained so 
as to prevent open arc or spark 
generation. 

The criterion applies to subsystems of a sortie 
payload, and is designed to protect the crew 
from a credible fire hazard. No residual hazard 
exists if this criterion Is applied. Within a 
manned volume, failure to apply this criterion 
allows available ignition sources which can 
ignite a combustible, causing indirect hut 
immediate crew serious injury or death from the 
fire. The criterion is mandatory. 

Insoectlon 

F-5. Exhaust producing hot gas 
systems must not be used by pay- 
loads, Hot gas exhaust by- 
products, and/or the flame itself, 
can damage the payload bay area 
or cause secondary fires within 
the bay. 

The criterion applies to a sortie payload subsystem 
(mounting/ jettison capability), and 1s designed to 
protect the vehicle and crew from a credible 
hazard, which is completely controlled by this 
criterion. Indirect, iimiediate, serious injury or 
death can occur. If this criteria is not applied, 
as a result of a fire onboard. Indirect, delayed 
inability to safely tenninate the mission can also 
occur if damage to the payload bay/doors could 
cause aerodynamic instability upon entry. The 
criterion is mandatory. Jettison can be accom- 
plished by closed, hot gas systems, or kinetic 
energy methods such as springs, 

1 . 

Inspection 
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Table 6-9. Fire (F) Criteria (Concluded) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 


F‘6, To preclude uncontrollable 
fires, payloads which introduce 
extraordinary or unusual fire 
hazards must supply the necessary 
suppression equipment. 

This criterion protects the crew from a credible 
fire hazard. No residual hazard exists if this 
criterion is applied. If in the manned volume, 
failure to apply this criterion allows possi- 
bility of fire with direct, serious injury or 
death of the crew member occurrinq. Exterior to 
the manned volume, failure to apply this criterion 
indirectly jeopardizes the crew by allowing possi- 
bility of fire and vehicle damage, prevent inn safe 
mission termination; or if the fire propagates to 
the manned volume, immediate, serious Injury. Tn 
either case, the criterion is mandatory. 

Inspection 

F"7. A manned payload module 
must have both manually (local) 
and remotely controlled means of 
fire suppression and control. 
Local control of small blazes, or 
remote control of a fire which 
forces evacuation of the compart- 
ment are necessary to control the 
possibility of crew injury. 

This criterion protects the crew from a credible 
hazard. E/I-18 supplies life support to help 
the crew escape the fire should that be necessary. 
This minimizes the residual hazard, when the 
manned module is occupied, direct, serious injury 
or death could occur as a result of an unsuonressed 
fire. When the manned module is not occupied, 
inability to remotely extinguish a fire will allow 
serious consequences, possible propagation to 
the vehicle cabin resulting in indirect, immediate 
serious injury or death to the crew. The cri- 
terion is mandatory. 

Inspection 

F-6. Capability must be provided 
to automatically shut off air 
circulation fans in a manned pay- 
load module upon detection of a 
fire within that module for pur- 
poses of fire control and con- 
tainment. 

This criterion is levied against a sortie payload 
subsystem, and is designed to protect the crew 
from a credible hazard of fire. The hazard of 
lack of life support is covered by E/I-18, 
and extinguishing the fire by F-7. If this 
criterion is not applied, the oxidizer needed for 
support of the fire will not be removed, and in- 
direct but Immediate serious injury or death can 
occur. Thus, the criterion is mandatory. 

Demonstration 

DISCRETIONARY 

F-9. Payload instrumentation and 
command links must be protected 
from open fire to insure control 
capability of payloads. 

This criterion is levied against a sortie payload, 
and is designed to protect the crew from a hazard, 
loss of payload control. However, the hazard is 
not a credible hazard, as open flame is not al- 
lowed, and other criteria are to prevent accidental 
fires, leaving the criterion discretionary. 
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Table 6-10. Fuels and Oxidizers (F/0) Criteria 


design criterion 

categorizing rationale 

verification 

MANDATORY 


F/0-1, To preclude the dossI- 
bility of fires or explosion, 
payload cryogenic fuels and 
oxidizer systems must be desianed 
to preclude accumulation or 
mixing of the combustibles in any 
unintended location. 

Accumulation of fuels/oxidizers can cause fire 
hazard; accumulations which mix can cause danger 
of explosion or fire. This criterion controls this 
particular hazard* There is no residual hazard* 

Any injury to the crew from occurrence of this 
hazard would be indirect in nature, with a fire/ 
explosion damaging the vehicle. Immediate serious 
Injury or death could occur from propagation of the 
fire; indirect delayed inability to safely deorbit 
could occur if damage to the vehicle was exterior. 
The criterion is mandatory. 

Inspection 

F/0-2. Cleanliness reouirements 
for fuel and oxidizer systems 
must be consistent with shuttle 
cleanliness requirements. Con- 
taminants in such systems can 
form explosive combinations. 

This criterion protects the vehicle and crew from 
a credible explosive hazard. Indirect, immediate 
serious injury or death can occur from these 
explosive combinations detonating and the result- 
ant fire propagating to the manned volume. The 
criterion is mandatory. 

Inspection 
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Table 6-11. Pressure Vessel (PV) Criteria 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

PV-1 . Redundant venting pro- 
visions must be provided on 
cryogenic and hydrogen peroxide 
systems which have pressure 
buildup in normal conditions* 

This criterion 1s to protect the vehicle and crew 
from a credible hazard (overpressure). No resid- 
ual hazard exists if this criterion is aoDlied. 
Injury to the crew would he indirect in nature, 
where the overpressure release would affect the 
vehicle, and crew members could experience 
immediate serious injury or death from pressure 
damage or uncontrolled motion due to propulsive 
ventinn. The criterion Is mandatory. Secondary 
relief valves or burst disks are normal design. 

Inspection 

PV-2. Regulator shutoff valve 
design must include extremes for 
temperatures such as the conse- 
quence of flow through a stuck- 
open regulator* An inoperable 
shutoff valve exposes downstream 
equipment to over-pressure 
action. 

This criterion is to protect the crew from a 
credible hazard. Occurrence of this hazard can 
directly affect the crew, causing death or serious 
injury when the environment control system is In- 
volved, or the equipment explodes in the manned 
volume. Indirect, immediate serious injury can 
also occur if the regulator sticks and resultant 
explosion does damage to the vehicle. The 
criterion is therefore mandatory. 

Test 

PV-3. For all payload equipment 
requiring an operative vent, 
equipment operation must be pre- 
vented in the event of vent sys- 
tem malfunction to preclude 
critical over-pressurization of 
the vent system. 

This criterion is to protect the crew member from 
a credible hazard. If operation were to take 
place under these conditions, over-pressure and 
explosion of the vent line could result; direct 
crew injury would result. Injury occurring as a 
result of this hazard would be direct in nature 
with the over-pressured line exploding and frag- 
ments injuring the crew member. The criterion is 
therefore mandatory. 

Demons trati on 

PV-4. Each payload pressure 
system must have a relief capa- 
bility; however, any venting into 
the payload bay must not exceed 
the bay venting capability with 
the payload bay doors closed. 

Relief capability is to prevent explosion; vent 
restriction is to prevent over-pressure damage to 
the orbiter. This criterion is designed to pre- 
vent these hazards, which are credible. If this 
criterion is applied, there is no residual hazard. 
Any injury to the crew as a result of not apply- 
ing this criterion would be indirect In nature, 
with the most likely situation being damage to the 
vehicle of such a nature that safe termination 
would not be possible. The criterion is mandatory. 

Analysis 

PV-5, High pressure gas lines 
and vent lines must be secured 
to preclude a line rupture from 
producing line whipping with 
consequent damage to the vehicle 
or injury to a crew member. 

This criterion, if applied, protects the crew from 
a credible hazard. This criterion will control 
the hazard and any crew injury will be Indirect in 
nature, most likely by making the vehicle unsafe 
for mission termination. The criterion is 
therefore mandatory. 

Analysi s/ 
Inspection 
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Table 6-11. Pressure Vessel (PV) Criteria (Continued) 


OeSIGN CRITERION CATEGORIZING RATIONALE VERIFICATION 

MANDATORY 

Py~^ « Components that are sens1- This criterion is to protect the crew from source Test 

tive to fluctuations 1n supply credible pressure source hazards. Direct crew 

pressure must be desiqned so that injury or death could occur if the pressure is 

their failure mode does not vio- vented into the manned volume or if a fire can 

late the system pressure in- occur. Indirect crew injury can occur if venting 

tegrity. Release of the pressur- in the payload bay causes propulsive effects. 

ized fluid constitutes a hazard The criterion Is mandatory. 

to vehicle/crew as well as other 

payloads. Hazardous fluids can 

cause a direct hazard; other 

fluids cause a propulsive vent 

(payload bay) or over- pres sure 

of manned volume. 


PV~7, Payload battery cases must This criterion applies and the hazard being con- Test 
be capable of withstanding worst trolled presents a credible hazard to the crew, 

case over-pressures without There is another criterion (ESI-l) which con- 

rupturing. tributes to complete control. Without this 

criterion, direct crew serious injury or death 
could occur if the battery were in a manned 
module. Indirect immediate serious injury 
could occur if the battery were external to the 
manned volume. The criterion is mandatory. 


PV-8. Payload equipment in a This criterion applies and is desinned to nrevent Test 

manned volume must be desiqned to a credible crew hazard from occurrinq. Direct, 
withstand a rapid decompression immediate, serious crew injury or death could be 

without causing a hazardous con- caused by the results of an "exnloslon" of equip- 

dition such as exploding or ment during decompression. The criterion is 

allowing flying objects to be in therefore mandatory, 
the manned volume. (See MSCM 
8080, No. 2.) 

PV-9, All hazardous fluid or This criterion is desinned to protect the crew Demonstration/ 

gaseous system valves must be from a credible hazard. If the lines/valves were Test 

completely operable with either in a manned volume, or part of the environment 

an upstream or a downstream control system, direct, immediate, serious injury 

pressure differential equal to or death could occur. If the lines/valves were 

the maximum system pressure. Any outside the manned volume, fire and indirect, 

value can be called upon to shut immediate injury is possible. The criterion is 

off a section of line because of mandatory. 

breakage and prevent dumping the 

fluid. A vented or dumped 

hazardous fluid endangers the 

crew directly or indirectly. 


PV-10. Fluid and vacuum lines This criterion Is to prevent a failure of a line Test 
penetrating a manned payload which could act to vent the manned sortie module i 

module must meet all the design to space or release a fluid into the module, 

criteria of the main pressurized This criterion applies and is desinned to protect 

volume. Protective systems must the crew from a credible hazard. Should either 
be designed with the capability a release of fluid or a vent occur, direct injury 
to protect against failure of to the crew could occur and would be immediate, 

the largest penetration. with possibility of serious injury or death 

occurring. The criterion is therefore mandatory. 
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Table 6-11. Pressure Vessel (PV) Criteria (Continued) 


DESIGN CRITERION 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

PV-11, Differential pressure 
gauges must be designed so that 
the high and low pressure sensing 
connectors cannot be physically 
interchanged. Loss of the gauge 
or a burst diagram within the 
gauge present hazards to the crew. 

On some systems the loss of a differential pressure 
oaune would allow hazards to go uncorrected. Vent- 
inn any hazardous gas into the cabin “from a hurst 
gauge also poses a direct hazard to the crew, 
this criterion is designed to protect the crew from 
credible hazards. No residual hazard exists if 
this criterion is levied. Direct, serious injury 
or death could occur i^ this criterion were not 
levied and gas vented into the cabin. Indirect, 
immediate, serious Injury or death could occur if 
a preventable malfunction occurred because of 
instrumentation. In either case, the criterion 
is mandatory. 

Inspection 

PV-12. Payload tank and pressure 
vessel design safety factors must 
be at least as conservative as 
the or biter safety factors to 
insure against loss of the vessel 
and inherent vehicle damage or 
crew injury. 

This criterion is desinned to protect the crew 
from a credible over-pressure hazard. Failure of 
pressure vessels, within the manned volume, could 
cause direct, immediate crew serious injury or 
death should over-pressure explosion occur. 
Pressure vessels outside the manned volume 
exploding could cause vehicle damage making safe 
temi nation impossible. The criterion is manda- 
tory. 

Analysis 

PV-13. Pressure vessels and/or 
Ifnes that cannot meet at least 
the orbiter safety factor, must 
be protected so that personnel 
cannot cause damage, and thus 
lov/er the safety factor of the 
vessels while working on or near 
these components. 

This criterion is to protect the crew from a 
credible hazard. No residual hazard will occur 
if this criterion is applied. If the pressure 
vessel is within the manned volume, failure of the 
vessel can cause direct, serious Injury or death 
to the crew member by venting a Hazardous fluid or 
from over-pressure. If the pressure vessel is 
exterior to the manned volume, failure of the 
vessel can cause damage to the aerodynamic caoa- 
bilities of the vehicle, preventing safe mission 
termination. It should be noted that failure 
would not necessarily occur when damage occurs; 
failure could occur at next pressurization. In 
either case, the criterion is mandatory. 

Inspection 

PV-14. Capability shall be pro- 
vided for the orbiter crew to 
dump hazardous payload fluids and 
gases overboard within the time 
constraints Imposed by an abort 
situation so the fluids cannot be 
released on impact/loading and 
cause crew injury, and with the 
payload doors opened or closed. 
Dumping techniques must preclude 
mutually reactive fluids from 
mixing and resulting in a fire or 
explosion. 

This criterion applies to a sortie payload sub- 
system (hydrogen, oxyaen, etc.) and l’s desinned to 
protect the crew from a credible Hazard of fire/ 
explosion on impact/1 andi ng . No residual hazard 
exists if this criterion is applied. Injury as a 
result of this hazard could be either direct or 
Indirect, but would be immediate in nature with 
serious injury or death resulting from fire/ 
explosion. Thus, the criterion is mandatory. 

1 

1 

1 

Inspectinn 

1 

1 

1 

1 
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DESIGN CRITERION 


CATEGORIZING RATIONALE 


VERIFICATION 


DISCRETIONARY 


PV-15, Ventfng from a pressure 
vessel must be non-propulsi ve to 
preclude motion and off-balance 
crew injury. 


This criterion Hoes not protect the crew from a 
credible Injury hazard. Indirect injury could 
occur as a result of unanticipated vehicle motion 
if ventinq is propulsive in nature* hut vent inn 
impulse versus the shuttle dynamics will not allow 
significant motion tn occur. Thus, the criterion 
is discretionary. 


PV-16* A reservoir must be in- 
corporated prior to a vent ter- 
minus to permit required system 
venting during critical opera- 
tional periods without the 
corresponding propulsive forces 
and contamination around the 
orbi ter. 


Since venting impulse 1s non-propul si ve 1n nature, 
no credible crew hazard can occur from allowing the 
venting to occur. This Is a mission success 
criterion statement. This criterion can he anplied 
to a sortie payload subsystem, but does not 
protect the crew from a credible hazard. The 
criterion is discretionary. 


PV-17, Quick-disconnects to 
vacuum must be avoided for 
critical functions to preclude 
leaks. 


The only hazard Involved with the use of qulck- 
disconnects is leakage. (Wrong connectors have 
already been precluded,) The reliability of 
currently approved quick-disconnects and the 
application (plumbing with vent valving) pre- 
cludes dangerous leakage. The residual leakage 
hazard 1s not credible. The criterion is 
discretionary. 


PV-18« When one pressure source 
suppTTes multiple demands, worst 
case design demands must be 
taken into account so that re- 
quired pressures are maintained. 


PV-19> A11 payload systems 
using hydrogen peroxide must be 
designed to permit accurate 
determination of the rate of 
active-oxygen loss from the 
hydrogen peroxide, (See MSCM 
8080, No. 44.) 


PV-2Q> Where small safety factors 
are envoi ved (e.g. <2), capability 
must be provided to measure the 
parameter(s) required to detect 
potential pressure vessel 
failures , 


Insufficient supply could cause a oayload to fail. 
However, any failure which could injure the crew 
should be precluded by existinq criteria, and the 
under- pres sure will not in itself cause danger to 
the crew. Though this criterion can be applied to 
a sortie payload, it does not present a credible 
hazard to the crew If not applied to the oayload. 
The criterion is discretionary. 

Any use of hydroqen peroxide on the payload would 
be functional in nature, and not a system upon 
which the crew would be dependent. Depletion 
of the hydrogen peroxide would terminate the 
experiment, but would not generate a credible 
crew hazard. Pressure and temperature con- 
siderations have been treated elsewhere. Thus, 
the criterion is discretionary. 

Detecting pressure vessel failure may allow some 
crew action to protect vehi cl e/crew (such as 
manual ventinq); however, venting, burst disks, 
etc., already preclude pressure vessel failure 
from over-pressure and impact failure 1s also 
precluded. Thus, this criterion is redundant to 
others, and does not protect the crew from a 
credible hazard, leaving the criterion as dis- 
cretionary. 
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DESIGN CRITERION 


CATEGORIZING RATIONALE 


VERIFICATION 


DISCRETIONARY 


PV-21 ♦ Gaseous content of nay- 
load pressure vessels with 
necessarily low safety factors 
(<TBD) must be small enough so 
that rapid isentropic expansion 
will not result in a hazardous 
over-pressure. 


This criterion Is desinneH to protect the crew anH 
vehicle should a pressure vessel fall, f^elief 
ventinn is required to prevent any over-pressure 
situations from occurrinn. The only renaininn 
hazard, then, is a fatinue type failure, and the 
chances of this occurrinq are not credible. 
Although the criterion can be levied on a sortie 
payload, and is designed to protect the crew, the 
hazard being eliminated is not credible . Thus, 
the criterion is discretionary , 


PV-22, Pressure vessels with 
cri tically low safety factors 
(<TBD) must be of shrapnel - 
proof design or be provided with 
shrapnel -proof barriers. 


This criterion is designed to prevent shrapnel 
damage when a vessel bursts. However, since 
vent provisions are required, the vessel will not 
burst and the hazard is not credible. The 
criterion is therefore discretionary. 
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Table 6-12. Structural (S) Criteria 


DESIGN CRITERION 

categorizing rationale 

VERIFICATION 

MANDATORY 

, All rotatinq components 
must be designed to preclude 
fragmentation damage to the 
vehicle or injury to the crew. 

This criterion prevents the occurrence of a credi- 
ble crew hazard. This criterion controls this 
hazards There Is no residual. If fragmentation 
were to occur within the manned volume, shraonel 
could cause serious injury or death directly, and 
Immediately. If fragmentation occurs exterior to 
the manned volume, serious damage can occur to the 
vehicle, making safe mission termination impossible. 
The criterion is mandatory. 

Analysis/Test 

S-2, Any payload deployment 
system must provide positive con- 
trol of the payload movements and 
preclude permanent violation of 
the payload bay envelope. 

Uncontrolled motion of part of the pavload allows 
impact with, and damage to, the vehicle. In- 
ability to remedy a violation of the payload bay 
envelope precludes closing of the doors, and pre- 
vents reentry. This criteria applies to the sub- 
systems of a sortie payload, and is designed to 
eliminate a credible crew hazard. If this hazard 
were allowed to occur, indirect injury or death 
can occur to the crew (delayed) because of an in- 
ability to safely deorbit. The criterion is man- 
datory, "stiffness of supports, fail operational/ 
fail-safe and jettison mechanisms are desinn 
techniques to preclude these hazards. 

Demonstration 

$-3, A safety factor of TBD 
(referenced to worst case loads} 
must be provided all mechanical 
fasteners used to lock or secure 
a payload component. 

This criterion applies to a sortie payload sub- 
system (mounting) and is designed to prevent a 
credible crew hazard. No residual hazard will 
occur if this criterion is applied. If a fastener 
or mount breaks loose within the manned volume, 
direct, serious injury or death can be caused by 
the flying object. If a fastener or mount breaks 
loose outside the manned volume, exterior damage 
to the vehicle can occur which will prevent safe 
entry. The criterion is mandatory. 

Analysis/Test 

5-4. Any payload using portable 
containers must insure restraint 
of the containers when not in use 
to preclude loose object damage 
to vehicle or injury to crew. 

This criterion prevents a credihle crew hazard from 
flying objects. No residual hazard occurs if this 
criterion is applied. Unsecured containers flying 
about the manned volume can cause direct, serious 
injury or death to a crew member by strikina him. 
The criterion is therefore mandatory. 

Insnecticn 

S-5. Payloads must not be de- 
pendent on internal pressures for 
structural integrity if the 
shuttle vehicle could be damaged 
by loss of the pressure 
(integrity) . 

This criterion controls a credible hazard; no 
residual hazard occurs if this criterion is applied. 
Damage to the vehicle could be of a nature which 
would prevent safe entry (such as nayload bay door 
damage). This would cause an indirect, delayed 
hazard to the crew, making the criterion mandatory. 

Analysis/Test 

S-6. Manned, pressurized volumes 
must be designed to operate with- 
in the meteoroid environment de- 
fined in NASA SP-8013, dated 
March 1969, to prevent crew injury 
from sudden loss of atmosphere 
due to meteoroid impact. (See 
MSCM 8080, No. 21.) 

This criterion protects the crew from a credible 
hazard. No residual hazard exists If this 
criterion is applied. Direct, serious injury or 
death could occur if this criterion is not applied, 
from sudden depressurization. The criterion is 
therefore mandatory. 

Test 
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DESIGN CRITERION 


CATEGORIZING RATIONALE 


VERIFICATION 


S-7. Payload equipment which 
extends outside the payload bay 
must be so located as to not 
interfere with dockinq. 


DISCRETIONARY 


This criterion can be levied aqainst a sortie pay- 
load, but does not protect the crew aqainst a 
credible hazard. Normal interference of payload/ 
docking can be avoided by mission timeline; a 
stuck-up payload can (and will) be jettisoned; and 
the payload can be lowered to facilitate emergency 
dockinq. Thus, there is no credible hazard, and 
the criterion is discretionary. 


S-6. Outer pressure walls of a 
manned payload module must be 
accessible so pressure leaks can 
be located and repaired. 


This criterion can be levied against a sortie pay- I 
load, but does not protect the crew from a I 

credible hazard, S-6 requires the possibility of 
puncture to be designed out, per NASA SP-ft013‘; and 
even if this low risk incident should occur, the 
module can be evacuated using portable life support 
equipment, required by E/1-18, and sealed off. 

This design criterion is for mission success, 
and is discretionary. 
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Table 6-13. Systems Interactions (SI) Criteria 


design criterion 

CATEGORIZING RATIONALE 

VERIFICATION 

MANDATORY 

SI-1. Safety status payload 
signals must be provided for crew 
display to allow control of pay- 
load hazards. 

This criterion requires warning the crew of a 
hazard where control can be exercised over the 
hazard. The hazard is credible, and no residual 
hazard exists if this criterion is applied (it is 
controlled). Within the manned volume, direct 
serious Injury or death can occur from an uncon- 
trolled hazard. Exterior to the manned volume, 
payload hazards can damage the vehicle, allowing 
indirect, immediate, serious injury or delayed 
inability to re-enter. The criterion is mandatory. 

Inspection 

SI -2. Automatic event-sequencing 
programs must be capable of 
initiation only when commanded by 
a crew member or ground control 
if vehicle damage or crew injury 
could occur from unplanned opera- 
tion. 

This criterion protects the crew from a credible 
hazard of inadvertent operation. No residual 
hazard occurs if this criterinn is anolied. 
Inadvertent operation within a manned volume can 
cause direct, serious injury to the crew member. 
Inadvertent operation exterior to the manned 
volume can cause damage to the vehicle which will 
make reentry unsafe (such as an extension boom 
extending prior to the bay doors being opened). 

In either case, the criterion is mandatory. 

Inspect! on 

SI-3. A single-signal mal- 
function must not generate a 
signal which could result in pre- 
mature Initiation of subsequent 
sequences , 

This criterion is to preclude a credible hazard, 
inadvertent initiation of sequences which may be 
remedial in nature. Such sequences initiated in 
an untimely manner can cause hazardous situations, 
or expend safety measures. The result can be In- 
direct, Immediate crew injury (by motion from 
venting, etc.) or delayed, caused by inability to 
enter, making the criterion mandatory. 

Inspection 

51-4,. A single instrumentation 
failure must not inhibit an auto- 
matic warning system from moni- 
toring other functions. 

This criterion controls a credible hazard which 
can impact the crew. The occurrence of one in- 
strument indication or malfunction must not allow 
another malfunction to go undetected, or crew 
injury can result, either directly or indirectly, 
as a function of the systems being monitored. The 
criterion is mandatory • 

Inspection/ 

Demonstration 

SI-5, Provisions must be made 
for verifying critical payload 
systems readiness before placing 
it on line. A critical system 
not configured for bringing on 
the line can react in a manner to 
cause a hazard. 

Brinqinq an improperly configured system on line 
can cause a credible crew hazard. This hazard is 
controlled by this criterion. The equipment or 
system could react in a manner to cause either 
direct or Indirect crew injury, depending on the 
system and Its location. The criterion is 
mandatory. 

( i 

i 

Inspection 
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7. CONCLUSIONS 

During the course of this study, several points were noted that might 
be useful to NASA/JSC in implementation of requirements in the Shuttle era. 

7.1 STUDY RESULTS 

The results of this study will form the basis for detailed payload 
specifications to be written when quantitative shuttle data is available. 
Utilization of the mandatory design criteria will help assure that future 
shuttle sortie payloads insure the safety of the space shuttle vehicle and 
crew. Since Shuttle Program management will concentrate only on those 
criteria and specifications considered mandatory, considerable cost 
savings can be realized by reduced manpower, less need for Shuttle Program 
managerial cognizance over certain criteria, and less paperwork. Also, 
when new criteria are generated due to changes in subsystems, designs, or 
guidelines used by this study, the categorization process can be used to 
aid in managerial decision-making concerning the new criteria. 

7.2 PROGRAM OFFICES 

In past programs, frequently the same program office was responsible 
for payloads (experiments) and spacecraft development. This philosophy 
lends itself to working out design problems by modification of both the 
payload and spacecraft. This type working situation will not be practical 
in the shuttle era since the vehicle should not be modified for each suc- 
cessive payload. This working situation also leads to the payloads being 
designed and qualified to the same standards as the vehicle which is an 
expensive practice not necessarily in harmony with shuttle era philosophies. 

7.3 SYSTEMS SAFETY DESIGN CRITERIA CATEGORIES 

It is a conclusion of this study that two seperate sets of systems 
safety criteria should be applied to payloads in general. 

Safety criteria are necessary to provide crew/shuttle safety from 
the payloads. The criteria in this volume relate to crew safety from sortie 
payload hazards. 

The discretionary criteria in this volume pertain to mission success 
for the payload, and are implemented at the option of the payload integrator 
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or developer. However, the payload user may decide that these discretionary 
criteria may be mandatory to assure success of the payload. 

7.4 SAFETY REQUIREMENTS AND GUIDELINES 

The NASA/JSC Safety Office has produced a substantial set of safety 
requirements and guidelines. When a hardware contract is let, safety re- 
quirements are usually levied as part of the contract in addition to a 
requirement for a hazard analysis. Once a thorough hazards analysis has 
been performed for a type of equipment, subsequent hazards analyses are 
replowing old ground, except where new technology is being created on 
a particular piece of hardware. If JSC were to compile the accumulation 
of available safety requirements and guidelines into one source document, 
JSC could more effectively levy a complete set of safety requirements and 
eliminate the need for repetitive, detailed hazards analyses except where 
new technology is being implemented. 

7.5 HARDWARE SAFETY 

This study emphasized crew safety, with consideration given to vehicle 
hardware safety where vehicle damage could propagate into crew injury. For 
other systems safety criteria, the systems compatibility report (volume III) 
needs to be taken into consideration. 
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